agenttesla

General

Target

1b93e35046b65fd1204131c752ff9a6f1cad3383b26e30c66cb4dc6c15923691
Size

1.9MB
Sample

250326-n8jhha1ns5
MD5

762930767ac71a8674bba4871ad7917a
SHA1

cd54e812046f1b0449e2d145a2613cf62e55720c
SHA256

1b93e35046b65fd1204131c752ff9a6f1cad3383b26e30c66cb4dc6c15923691
SHA512

3dd8d6c4a4043d6146cc84ab658ac79a917689c120cf9a97b1acaa3975995b23b0f06e9e819e9234bf4a7b9c521f7ea374ba661153d5716debc868ba94149eaf
SSDEEP

24576:xuMVWyZ20itWf6QKP28rNaoA3loPwtJhUADiiB2Lln/bsOgAdjv0LZi:xuMQm2fCbEA3GPsPUGIngABvK

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.rusticpensiune.ro
Port:
21
Username:
FTPAdmin@rusticpensiune.ro
Password:
99AM}+NZ&CCq!4Vq)9!(zXx01.lQ!~nS.fBnY,4Z~fjHnGo*B3Gd;B{Q1!%-Xw--%vn^0%nt

Targets

- Target
  
  ZAMÓWIENIE_NR.2503261189303-22.exe
- Size
  
  1.4MB
- MD5
  
  bb8ebb7e2951662ced5e2f65684155b5
- SHA1
  
  4da55f17a8425484b999e3eceac42fd4882aea59
- SHA256
  
  89e85fa592b8da5c4b6538ff706e875b7a8bb5d48ab74dbd0a0fbd953eb954b0
- SHA512
  
  189981b9e9ef1232abf5990c880338eed2ced9589eec5fae3d3d534b1dedbf49dc086937607e85204d1dd71d48984608cf0e231e88a227d46fb9917498161679
- SSDEEP
  
  24576:EuMVWyZ20itWf6QKP28rNaoA3loPwtJhUADiiB2Lln/bsOgAdjv0LZi:EuMQm2fCbEA3GPsPUGIngABvK
Score

10^/10

agenttesla guloader discovery downloader keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  12b140583e3273ee1f65016becea58c4
- SHA1
  
  92df24d11797fefd2e1f8d29be9dfd67c56c1ada
- SHA256
  
  014f1dfeb842cf7265a3644bc6903c592abe9049bfc7396829172d3d72c4d042
- SHA512
  
  49ffdfa1941361430b6acb3555fd3aa05e4120f28cbdf7ceaa2af5937d0b8cccd84471cf63f06f97cf203b4aa20f226bdad082e9421b8e6b62ab6e1e9fc1e68a
- SSDEEP
  
  192:gFiQJ77pJp17C8F1A5xjGNxrgFOgb7lrT/nC93:E7pJp48F2exrg5F/C
Score

3^/10

discovery
behavioral3 behavioral4