agenttesla | 2cc36c542e5ff83176a2c53aadac70573c5bff8394a9b6e5ff04aaece27679a5 | Triage

Sharing

General

Target

2cc36c542e5ff83176a2c53aadac70573c5bff8394a9b6e5ff04aaece27679a5
Size

214KB
Sample

250129-bxm1bswrdt
MD5

7065a77c43f5e688cbbb8b45d75d7eb0
SHA1

5aa7a6d80582445b9713ac1682b41da55c9dc42a
SHA256

2cc36c542e5ff83176a2c53aadac70573c5bff8394a9b6e5ff04aaece27679a5
SHA512

89e41d799e06d00bc822621039ab39c6beff71cbfcc034361990c6cab333a7ac6e1e0fd10346da96f7883ff33de8da454c0c9508f8825e49fab74322ee8a74ca
SSDEEP

3072:ZZVBzTyj30bB39kj2xbYtD+qwJ6y1SCARiCutdx7sZzkB9ASVD8ehOejKndsd:Tzej30BRYB+Pn1S+tnsZwHPVeejQdsd

Score

10^/10

agenttesla discovery keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.concaribe.com
Port:
21
Username:
[email protected]
Password:
ro}UWgz#!38E

Extracted

Credentials

Protocol: ftp
Host:
ftp.concaribe.com
Port:
21
Username:
[email protected]
Password:
ro}UWgz#!38E

Targets

- Target
  
  DHL Shipment documents 0000988898899000989899000.exe
- Size
  
  319KB
- MD5
  
  166122bf6bf10ec84aa02545bca83566
- SHA1
  
  983664d5c14a95865318798b28c9ccf7a1345632
- SHA256
  
  e735acafdc8ca72f83e0f32dbea9a961a4c55294445c1ff5e4e71aa459e5a5bf
- SHA512
  
  677860ac46607cec79d74e786a4419136f953737c901251f11d2b08ef61885b4ad88217ecb8ada825b36d9c735943f8d8d268c7480b7849a13f625e7f39c1063
- SSDEEP
  
  6144:Mbaas4TUq6A9x9C2Vb5MjjLcuO93y5WdWzWxXc:4dTiqx9C2B5MjXcX3GWdW
Score

10^/10

agenttesla discovery keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Credentials in Registry

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agenttesladiscoverykeyloggerspywarestealertrojan

behavioral2

agenttesladiscoverykeyloggerspywarestealertrojan