agenttesla

Sharing

Copy URL

Twitter E-mail

General

Target

BastianHein Malware samples.zip
Size

383.3MB
Sample

250324-ygyhfsyks8
MD5

02c4b8634f78e28d57771c6d772d1f02
SHA1

722d093a07a56df8889cdccaabda0d8365e4cc6c
SHA256

e38ccf1e063def469086780d196f6810bd63d0bb09f0cf6d1caae9e537c398a6
SHA512

f88a9b8307922d4c27b564a9c48c68f00f7fb121433478d2d1d3dcf7bd9b832ea2639942ed717723217fef320bc071c26b01718a7a39c837dfc671e6439b7979
SSDEEP

6291456:SStz8RrF6hOEfIGtIcIw3e40ICQHfUcs1vn9Tp9re9mKcafLWxRyz4I9GXMAlKdv:uRJOOEfIGtIcIw3e40ICQHfUcsV9V96/

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot6305495597:AAF_ew9pYtXGGwSyDG7TEmK1g6BlTM8J_4s/

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6118451923:AAE5b-PwqcIYRWOSTvI2HWoqu2xjLtG2iDA/sendMessage?chat_id=5725945887

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

BwRat 1.0.0

Botnet

Default

127.0.0.1:8848

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Fagootinc GROUP

192.168.0.178:9250

Mutex

Env3rSdhZhcn

Attributes

delay
3
install
true
install_file
LSRPDRFR.exe
install_folder
%AppData%

aes.plain

Extracted

Family

blackguard

http://funkyjazz.me/

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Extracted

Family

discordrat

Attributes

discord_token
MTMzMDYxOTg4NTMzMTQxNTEyMA.GvolIj.JCM-OtlpaFBedk3GoFB_aY1Hi31oF4XpkLv81A
server_id
1330576263034699828

Extracted

Family

redline

Botnet

cheat

billred229102.duckdns.org:26546

Extracted

Family

remcos

Botnet

zyn

kobo2025rmc.duckdns.org:14646

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-ZU8BO7
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

xworm

37.114.39.23:5555

127.0.0.1:7000

Attributes

Install_directory
%ProgramData%
install_file
srtm.exe

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Extracted

Family

darkcomet

Botnet

Guest16_min

xerxesrox.no-ip.biz:83

Mutex

DCMIN_MUTEX-EHQMHJU

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
PcrJ6QRL7ZlH
install
true
offline_keylogger
true
persistence
false
reg_key
DarkComet RAT

rc4.plain

Extracted

Family

mirai

boki.ug-rp.info

Extracted

Family

formbook

Version

4.1

Campaign

a02d

Decoy

coplus.market

oofing-jobs-74429.bond

healchemists.xyz

oofcarpenternearme-jp.xyz

enewebsolutions.online

harepoint.legal

88977.club

omptables.xyz

eat-pumps-31610.bond

endown.graphics

amsexgirls.website

ovevibes.xyz

u-thiensu.online

yblinds.xyz

rumpchiefofstaff.store

erzog.fun

rrm.lat

agiclime.pro

agaviet59.shop

lbdoanhnhan.net

Extracted

Family

formbook

Version

4.1

Campaign

i62s

Decoy

nvee.info

ovixo.shop

edical-services-36754.bond

iv-test-46512.bond

log103accountbest.shop

cbogamuzrjud.shop

elegaemra.live

razyanimal.art

rasilcap-iagen.info

hy5w9nv.top

ental-age-testing-ai-now.today

ztsuponline.top

esmiid.net

hdpafagrwzwmz.shop

nriqueavila01justresume.click

perationsznl.top

arwrapping-us-44807679.live

oolsvote.shop

1594.net

umanitarkhrestsoc.cyou

Extracted

Family

blihanstealer

Mutex

pomdfghrt

Attributes

user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; CIBA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.studiotip.si
Port:
587
Username:
[email protected]
Password:
.1nfo&std1-
Email To:
[email protected]

Targets

- Target
  
  BastianHein Malware samples/._Process killer.exe
- Size
  
  178B
- MD5
  
  fca65b0a004efe1a7025e0dec446eca7
- SHA1
  
  e5bfc69cb35c8f7d6bb6193ac7d74293e6d938de
- SHA256
  
  06745a5c82ff2ef29f03c86ba9ab8e4d2a9612bffaf6e4a6116486ee9e2b9f54
- SHA512
  
  1495a1a8e32b2aec5a51e808a3582f61122c4f748c31b4c41bd2b25c0ff69de40d6587da73204bc524f18cc5dccf0acb5fe1a7235c947af30c5654ef7ad58f9b
Score

1^/10
behavioral1 behavioral2
- Target
  
  BastianHein Malware samples/AgentTesla/06664fb0f86485bcac0d663acb92e1966ec35ea9ecf4ae8c9456a7167cf06823
- Size
  
  350KB
- MD5
  
  e75777d2f307bff64924b18ef86452e1
- SHA1
  
  85674276f910d0508328a5b9de478c6c250bf9a0
- SHA256
  
  06664fb0f86485bcac0d663acb92e1966ec35ea9ecf4ae8c9456a7167cf06823
- SHA512
  
  630ef8a8f862370c1d710948dc83a008cef846316875fda2d6af39fa948dd40fb39f4a3f9ae138586b819dd33b1a427519e7f440031466eeb52986c676a9e94b
- SSDEEP
  
  6144:UQ3ToY1+mtVXqWFdBH1IoLvHwUI6rYnn32aSyK+J:VMmtVrHwp6rsvF
Score

10^/10

discovery agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops startup file
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  BastianHein Malware samples/AgentTesla/197b8f685fe939f045c8c17c01ab6811d2ad9f47ef63ddc3e667443966c0a005
- Size
  
  1023KB
- MD5
  
  cf0d49a1105c3799980da6a067f7039c
- SHA1
  
  c16ec2611cd09b1839a4ca47898e1759cea1e320
- SHA256
  
  197b8f685fe939f045c8c17c01ab6811d2ad9f47ef63ddc3e667443966c0a005
- SHA512
  
  1b4b32fc37b230b4116855a381256dc1c39e989375890a21a90be0b016fcf3acdf08a0d8df69a65047e2e1861778191cf077578e35df2c8a74aa55f87f7b1325
- SSDEEP
  
  24576:MAHnh+eWsN3skA4RV1Hom2KXFmIaad3OAk5:rh+ZkldoPK1XaadE
Score

10^/10

agenttesla discovery keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  BastianHein Malware samples/AgentTesla/197b8f685fe939f045c8c17c01ab6811d2ad9f47ef63ddc3e667443966c0a005.exe
- Size
  
  1023KB
- MD5
  
  cf0d49a1105c3799980da6a067f7039c
- SHA1
  
  c16ec2611cd09b1839a4ca47898e1759cea1e320
- SHA256
  
  197b8f685fe939f045c8c17c01ab6811d2ad9f47ef63ddc3e667443966c0a005
- SHA512
  
  1b4b32fc37b230b4116855a381256dc1c39e989375890a21a90be0b016fcf3acdf08a0d8df69a65047e2e1861778191cf077578e35df2c8a74aa55f87f7b1325
- SSDEEP
  
  24576:MAHnh+eWsN3skA4RV1Hom2KXFmIaad3OAk5:rh+ZkldoPK1XaadE
Score

10^/10

agenttesla discovery keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Suspicious use of SetThreadContext
behavioral7 behavioral8
- Target
  
  BastianHein Malware samples/AgentTesla/1f4c54d2e88831db0ece02e0ddd45d37743ccc634f729164048344ccabb378b5
- Size
  
  1.4MB
- MD5
  
  fe02f53b3e14202c21ae51aafbf62875
- SHA1
  
  0da83d95a52e0ba3674ab27e73ee09cf96ba5aa1
- SHA256
  
  1f4c54d2e88831db0ece02e0ddd45d37743ccc634f729164048344ccabb378b5
- SHA512
  
  b3980b22752787d00be79d0fb7da862978f40435677213a315d18c7400f01e33546f77fc2a2543e2e2fa0e2615321fd2777641153ba0c9238433ce5f272d2b10
- SSDEEP
  
  24576:wetIu9d5dsWGwMFPwhLVinTl5NOJfpcIWD5nl/:wetIuDsxuLVinTl2JPWD5
Score

10^/10

agenttesla discovery keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
behavioral10 behavioral9
- Target
  
  BastianHein Malware samples/AgentTesla/2f83aacc31a29bb50a963b6f49cfe75d0f6f105f9d699571e312c3fd996b1888
- Size
  
  639KB
- MD5
  
  5d7d1ee3a7956e30f12da057ba655e0d
- SHA1
  
  afdfacf7e910a469f4337efb5fe6c0f916b6da42
- SHA256
  
  2f83aacc31a29bb50a963b6f49cfe75d0f6f105f9d699571e312c3fd996b1888
- SHA512
  
  3c511368638d3014395c824ae5318e9c9c1c0c041484eb9c4fceee6e1cdc0d5561c2de1a9d39e59849b090cf9f028830b9b787587031fadf2702e7166c42c45b
- SSDEEP
  
  12288:cfRU+qb9kFCrGrWFVM7evHfN1pZ+JZhtgPCrp:cQJKC5vQevrp0
Score

10^/10

agenttesla collection discovery keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral11 behavioral12
- Target
  
  BastianHein Malware samples/AgentTesla/309c72a0cfc3bd2a848c978921abe215da76dd3aa38f3221d28cb6524c35ba85
- Size
  
  1.1MB
- MD5
  
  b9270904ffd7c1a02c76d8eeeb11649b
- SHA1
  
  b5956f4b224df8ebf34be2c6b69e520c40a4b0b6
- SHA256
  
  309c72a0cfc3bd2a848c978921abe215da76dd3aa38f3221d28cb6524c35ba85
- SHA512
  
  867cd9721c833d32a7337c0aee3f0bd408a201ea74d8c9382548e80537a7bb18842b2a42c4611dfb74866d093806a2458f7dd2231abe530a25e7b8b9fe128020
- SSDEEP
  
  24576:dRmJkcoQricOIQxiZY1WNyBX7Ss0ZH9dGsBIKn8OoNZNn:SJZoQrbTFZY1WNyoPddGsBIK8O8z
Score

10^/10

agenttesla discovery keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral13 behavioral14
- Target
  
  BastianHein Malware samples/AgentTesla/31c25e01cbaaeadccfa1321680bbfd51c17b876859be87fff22b2db8ee1e117c.exe
- Size
  
  1.1MB
- MD5
  
  d5ee88c8a72921aa9dca20317ed1ef5e
- SHA1
  
  5d9a100342fe7383479829d2d24343ee735a1826
- SHA256
  
  31c25e01cbaaeadccfa1321680bbfd51c17b876859be87fff22b2db8ee1e117c
- SHA512
  
  29b3c4a0a1bf10ff0aa55cc6a26fa96e8b373e18dbb8eab6c344c64ed06cea13de5c27d6cd9f15649d6b317e7f44c1add939561235910747beffbcdb86a5f6a6
- SSDEEP
  
  24576:aUMC8CuZtC8YIBKHfaKWBECn6g2s0O8BD48rWHFDW+1RUrC:aU8CJ6BKHfavBECn6gL0O8BD48rWHFDD
Score

3^/10

discovery
behavioral15 behavioral16
- Target
  
  BastianHein Malware samples/AgentTesla/56a8937692fdf9a9c0b6cc236a9d3297.exe
- Size
  
  56KB
- MD5
  
  56a8937692fdf9a9c0b6cc236a9d3297
- SHA1
  
  c49469edbb09b9b700994f89441fcbec8fad3053
- SHA256
  
  ea3992a5359a014f61c35b5fab8062843e78be5436ee592a2f660c292b05c70c
- SHA512
  
  6c19569b6ee2dbf86997c9ece4b8278b981b9c62d8d19d1f85d0cb6c518b200d5c715e7ee0a8dc21c8f2255bae778057124f8eb12de4af9ed3a599418ff34459
- SSDEEP
  
  768:2WocZ0hRFj5JSUn+IRfXB7IA7p/IsNmHPM/6eed7F29fzNORxib:2WfWh3Xl/D/IsNmi6eyFn3U
Score

10^/10

agenttesla discovery keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral17 behavioral18
- Target
  
  BastianHein Malware samples/AgentTesla/708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe
- Size
  
  928KB
- MD5
  
  80b51e872031a2befeb9a0a13e6fc480
- SHA1
  
  caebbab5349f57d92182ce56ef4bf71ea60226a7
- SHA256
  
  708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089
- SHA512
  
  12e9db89be76788d238f8a7f3114534b50b953b9ef619f84b0a124fba77f5e7d4aa00ae8f6ac3fdb16ecd1398950d6bdadfa43e9ec59b6d59667df5ac3d60879
- SSDEEP
  
  12288:QieE+Q3mJyrf3iKXlrsfPO/l3Zn+aFpNUe2PPaEEaCh:QieE+5UrfvVg+Rd+afNH2PxEZh
Score

3^/10

discovery
behavioral19 behavioral20
- Target
  
  BastianHein Malware samples/AgentTesla/9da74e41306059077f155debea5f44a5969e79297c9de44a4e355e4bb68b0536.exe
- Size
  
  2.5MB
- MD5
  
  70de418c59709a8703cb46deee36bde6
- SHA1
  
  69ca92a03fc7d986f686c0acafc51dcf515c2f7c
- SHA256
  
  9da74e41306059077f155debea5f44a5969e79297c9de44a4e355e4bb68b0536
- SHA512
  
  cbeedd7aa302b1db4de7608f8f0c35aec37c38421979b6ae43eb759e13129b1e5343e343ebe0910cb8290fb91200a91fd7796a61aaac9e09c271dbdc352ca315
- SSDEEP
  
  49152:1bdYAm4zEbdYAm4zXbdYAm4zKbdYAm4zFbdYAm4zB3An3AI3AJ3AlO3mMM7aApu6:FdrWdrrdrAdr1drlA3AaAtAgu7au
Score

10^/10

agenttesla discovery keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral21 behavioral22
- Target
  
  BastianHein Malware samples/AgentTesla/AgentTesla-145f6076604900c379d5a82d6a95e6c56df274b34d77158056dccb5834516461.exe
- Size
  
  1014KB
- MD5
  
  cd51f2095b80e7817480645d98e26c2f
- SHA1
  
  7ed972012a1df22988f804eb78281699825ce73a
- SHA256
  
  145f6076604900c379d5a82d6a95e6c56df274b34d77158056dccb5834516461
- SHA512
  
  cdad53ac0756dca5f3a4a5ff5302da50f09b4186ba1c1b8a903aa576825976805e196fdbc146bfa93515a9260a10f40950e863fcb4db34520a3a3c675d78aa26
- SSDEEP
  
  12288:jJJ0DbsmPySOHXKZpmM+hPmYvfZgzZTM2fUmL1i1AqpWqyWjDRgU4T2lPK7JwwJq:VJYQ3KZpH+1DvfARnRiPEEDav2BKBq
Score

3^/10

discovery
behavioral23 behavioral24
- Target
  
  BastianHein Malware samples/AgentTesla/AgentTesla-150f720cd5e58ff58c421398257b42b92318cec613c657825bc585a43db8270b.exe
- Size
  
  756KB
- MD5
  
  0119d509c3dd48559edc2a5421eaff50
- SHA1
  
  123482fa15b3ff677c72c0d85b2600bc5b3ee6d5
- SHA256
  
  564c051102c81d441815759ce075755af3dbc66b0a0ac6dc31d43d87a0372fe1
- SHA512
  
  5b265d81b50c2c3a61fe88abce41ec8478ff0fdc76eb529afeb731a557a9b556dd3a3ae5f22cac8acc79455593a792b99424d8e53504ef2c1805c76eaae0c1fe
- SSDEEP
  
  12288:4PqGWmesCht01+hzHx5Cqfna1wzWLDR7uuqh22O6lByhqoHsJByDFIIAyS4hpcNK:oct0UhzzCqfSwzWLDpu7hHtwCwIIAyVC
Score

10^/10

agenttesla discovery keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral25 behavioral26
- Target
  
  BastianHein Malware samples/AgentTesla/AgentTesla-15ec53cab469f3ee56ebb4bb924e7fd211585d273d2ce77d9fd1dbf7335e6249.exe
- Size
  
  256KB
- MD5
  
  4ea744ae395766f11b5307e425501658
- SHA1
  
  a641b1cc15d37bce73a1f012b0ccc057775db419
- SHA256
  
  15ec53cab469f3ee56ebb4bb924e7fd211585d273d2ce77d9fd1dbf7335e6249
- SHA512
  
  80bc7edc7a9ee9ccba97c748ac4ee95c10cb1373e958677c0fc7b82ca5ab01deed023073f04e66182fb585b9460045d83f9a1f3c6c2e4c19ea64447f31aeed41
- SSDEEP
  
  3072:LOuyuyGCC/30dfcbyiM/ht9fYuszeYSe5ozsXVk:LOuyuyGCC/30dfcbyiMRh8k7sF
Score

1^/10
behavioral27 behavioral28
- Target
  
  BastianHein Malware samples/AgentTesla/AgentTesla-3b6632b43aa88d79aa9bdcf19f38f11fd3b0a86915cef4408e390a4d70f068cd.exe
- Size
  
  1.0MB
- MD5
  
  b1b5dd4f24824918f30da39009a61334
- SHA1
  
  c2b34380a152e3d34f455aac100bcfd20bb614d5
- SHA256
  
  3b6632b43aa88d79aa9bdcf19f38f11fd3b0a86915cef4408e390a4d70f068cd
- SHA512
  
  9773181ea8b587604dffd5465f886d492709eb12012fcbfbf325178a6ef6af29991b7c37722d956ee56965a6475344d0a0bd2f2faf62ac64f6854a78d75a7839
- SSDEEP
  
  24576:zAHnh+eWsN3skA4RV1Hom2KXFmIavxKDJMNLC5:+h+ZkldoPK1XavxKD6s
Score

10^/10

agenttesla discovery keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Suspicious use of SetThreadContext
behavioral29 behavioral30
- Target
  
  BastianHein Malware samples/AgentTesla/AgentTesla-47d4d0c51ec4940172fe3b02f8244547640661b9ba9efda0b7aa8238582a01c7.exe
- Size
  
  256KB
- MD5
  
  d97fc94143801e131f64a0b76eed7425
- SHA1
  
  6c7cc1625492a6a33e0a3c175bf8ed4f7aeca09a
- SHA256
  
  47d4d0c51ec4940172fe3b02f8244547640661b9ba9efda0b7aa8238582a01c7
- SHA512
  
  4e49baaf0ef5ec06effd961ccbe01953a4072e04ef69560f69bf06830f392959c7cc42be0c1bc464ef1afc488547ee32db28b7fa3a41c2814e3a60779dd47a09
- SSDEEP
  
  3072:SgAlxVZljwWsfjbhnpfzgB0rHkc5blzzUR:SgAlxVZljwWsfjbhZzJrEYzY
Score

1^/10
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Agenttesla family

Suspicious use of NtCreateUserProcessOtherParentProcess

Drops startup file

Looks up external IP address via web service

Suspicious use of SetThreadContext

AgentTesla

Agenttesla family

Suspicious use of SetThreadContext

AgentTesla

Agenttesla family

Suspicious use of SetThreadContext

AgentTesla

Agenttesla family

Suspicious use of NtCreateUserProcessOtherParentProcess

Suspicious use of SetThreadContext

AgentTesla

Agenttesla family

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

Accesses Microsoft Outlook profiles

Adds Run key to start application

Suspicious use of SetThreadContext

AgentTesla

Agenttesla family

Looks up external IP address via web service

AutoIT Executable

Suspicious use of SetThreadContext

AgentTesla

Agenttesla family

Adds Run key to start application

Drops file in System32 directory

AgentTesla

Agenttesla family

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Looks up external IP address via web service

Suspicious use of SetThreadContext

AgentTesla

Agenttesla family

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Suspicious use of SetThreadContext

AgentTesla

Agenttesla family

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6