agenttesla

General

Target

86ec76a64ac162f4699a584a6fbdcf08c6bdfc5e5714e2052b954a7be85e6efc.exe
Size

693KB
Sample

250214-dxth8a1mcs
MD5

cb805d778f2b3ea120e2714f9f0aa47a
SHA1

27699b574b53703759f1d0b9abaf809e45850892
SHA256

86ec76a64ac162f4699a584a6fbdcf08c6bdfc5e5714e2052b954a7be85e6efc
SHA512

0781a51fa0ee43ed3ee2cbeea735545610e5fb30262ca39cdf707198208b3ae4873066cf73e68c18773cdd93d1079758db27f669484630565196ef4cc68d9279
SSDEEP

12288:hDG4hAuAseF4POiVx2TD2QafZytgdPb48pymqge58jznxP:t2nsmpi6D2BytGDnxPh

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://mail.hearing-vision.com
Port:
21
Username:
[email protected]
Password:
LILKOOLL14!

Targets

- Target
  
  86ec76a64ac162f4699a584a6fbdcf08c6bdfc5e5714e2052b954a7be85e6efc.exe
- Size
  
  693KB
- MD5
  
  cb805d778f2b3ea120e2714f9f0aa47a
- SHA1
  
  27699b574b53703759f1d0b9abaf809e45850892
- SHA256
  
  86ec76a64ac162f4699a584a6fbdcf08c6bdfc5e5714e2052b954a7be85e6efc
- SHA512
  
  0781a51fa0ee43ed3ee2cbeea735545610e5fb30262ca39cdf707198208b3ae4873066cf73e68c18773cdd93d1079758db27f669484630565196ef4cc68d9279
- SSDEEP
  
  12288:hDG4hAuAseF4POiVx2TD2QafZytgdPb48pymqge58jznxP:t2nsmpi6D2BytGDnxPh
Score

10^/10

agenttesla guloader discovery downloader keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Downloads MZ/PE file
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  ee260c45e97b62a5e42f17460d406068
- SHA1
  
  df35f6300a03c4d3d3bd69752574426296b78695
- SHA256
  
  e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27
- SHA512
  
  a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3
- SSDEEP
  
  192:eF24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35Ol9Sl:h8QIl975eXqlWBrz7YLOl9
Score

8^/10

discovery
- Downloads MZ/PE file
behavioral3 behavioral4