agenttesla | a6dd566155d73f0f88bd9967205b5eda136cf2fb11ec1807aa0100d0a0cfbdce | Triage

Sharing

General

Target

a6dd566155d73f0f88bd9967205b5eda136cf2fb11ec1807aa0100d0a0cfbdce
Size

335KB
Sample

250125-bsg9aaykds
MD5

e207d2f637cdac37a18763cf8393c71c
SHA1

6f0c5f08e62fedf0e5934bd3a81bba4879d135f9
SHA256

a6dd566155d73f0f88bd9967205b5eda136cf2fb11ec1807aa0100d0a0cfbdce
SHA512

3ac6be8c024de45de82ea72b23c1a3902adb3c957c6f00e3507504a48f1555e2cf39745df3b4593fb1e26f6bda7d3d2af3c07227431c918ced2c559bf0f235d1
SSDEEP

6144:CWFjb9kuGGNy6CaaH7WbpGh1KWCk7nGVh3ZeC5zhvh9hBj+U8/xy8TpaPf61d:99kWtCaw7OGpl7nQJeCZ9C/NAf61d

Score

10^/10

agenttesla discovery keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.concaribe.com
Port:
21
Username:
[email protected]
Password:
ro}UWgz#!38E

Targets

- Target
  
  Dhl shipment documents 00020494940050509606000.exe
- Size
  
  476KB
- MD5
  
  e045c8326ee8ee3a255224d143be1c01
- SHA1
  
  b2d23c0a444317b06a6f2339df790a49dd6d994c
- SHA256
  
  1f7c1d0d5149d693543f2788b8a4e5c64864077b0617c40ac9d90437d2fcd947
- SHA512
  
  8c3a92f558ec3364c571dd5864ffef8d21d888923ac103e1824ac646aa3b2073479d50c1178e94c2e1269289e347f9e0f4d6aee89a3277ff9117718089d66c40
- SSDEEP
  
  12288:KnU51Fb/VSUE9H2sHHVsgQt/1+1hzWXp8NDc:0F1HHVs7tA1ZWXp
Score

10^/10

agenttesla discovery keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Credentials in Registry

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agenttesladiscoverykeyloggerspywarestealertrojan

behavioral2

agenttesladiscoverykeyloggerspywarestealertrojan