agenttesla

General

Target

c6628f8a246ea6922019236758da7c4429462dabf3b54d3d5b5ee5df6639ae58
Size

909KB
Sample

250209-b4z88s1ldt
MD5

e4867f55b3f1aefa733a5a0857d17123
SHA1

40221d838aeeeb9c20ae756f0ad5a98bd69fc0c0
SHA256

c6628f8a246ea6922019236758da7c4429462dabf3b54d3d5b5ee5df6639ae58
SHA512

6abdf3d769ac2818217e901e94db06c930056d2cda652324cd6e5fbcb84a77f04d83f644af46d6acd8030a8dca2e0351647532c9fa7f88eb984cf06d2390d948
SSDEEP

12288:0C3R4yaY+g0D9D+fw8ZAd+ZjxGLWhWuDb5B9304KuI4biDBfR5j5TzIBCZYu+fQj:00fwyQ+ZJBH3Ih4biDLTmAYu+oA0Ar25

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
inhanoi.net.vn
Port:
21
Username:
[email protected]
Password:
^TSt3!FK$UBA

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://inhanoi.net.vn
Port:
21
Username:
[email protected]
Password:
^TSt3!FK$UBA

Targets

- Target
  
  c6628f8a246ea6922019236758da7c4429462dabf3b54d3d5b5ee5df6639ae58
- Size
  
  909KB
- MD5
  
  e4867f55b3f1aefa733a5a0857d17123
- SHA1
  
  40221d838aeeeb9c20ae756f0ad5a98bd69fc0c0
- SHA256
  
  c6628f8a246ea6922019236758da7c4429462dabf3b54d3d5b5ee5df6639ae58
- SHA512
  
  6abdf3d769ac2818217e901e94db06c930056d2cda652324cd6e5fbcb84a77f04d83f644af46d6acd8030a8dca2e0351647532c9fa7f88eb984cf06d2390d948
- SSDEEP
  
  12288:0C3R4yaY+g0D9D+fw8ZAd+ZjxGLWhWuDb5B9304KuI4biDBfR5j5TzIBCZYu+fQj:00fwyQ+ZJBH3Ih4biDLTmAYu+oA0Ar25
Score

10^/10

discovery agenttesla guloader downloader keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  960a5c48e25cf2bca332e74e11d825c9
- SHA1
  
  da35c6816ace5daf4c6c1d57b93b09a82ecdc876
- SHA256
  
  484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2
- SHA512
  
  cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da
- SSDEEP
  
  192:jVL7iZJX76BiqsO7+UZEw+RlthVEoC0O3XB:g7ssOpZs/hS3X
Score

8^/10

discovery
- Downloads MZ/PE file
behavioral3 behavioral4