agenttesla

General

Target

26032025_1559_PO_5063588533982668888839393665187368.exe.iso
Size

1.9MB
Sample

250326-tfjwfsznw7
MD5

a6ad80a111a2f2890af28b7bcca3a2c8
SHA1

4840f2491ed7234b4d15624c1dc333c504bc1c48
SHA256

3058943ae31559238e25e88e6dfbba109ba0848c129a9742795797337f27bf3e
SHA512

ac5508a648dee6b9e238b6905e300ea8605a90c1050db27d1b4960dced44b37b1a920abf0a5a52ae9d724ed3828574fc49ca4b09c198436144f82d0a7415d1e4
SSDEEP

24576:wuMVMzHC/rDrAoD48AT9Ndd8loPwtJhUADiiB2Lln/bsOgAdjv0LZi:wuM0HC/r11yNdCGPsPUGIngABvK

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.carbognin.it
Port:
21
Username:
[email protected]
Password:
59Cif8wZUH#X

Targets

- Target
  
  PO_5063588533982668888839393665187368.exe
- Size
  
  1.4MB
- MD5
  
  07ebe75a608e5afd94a06bc865f6eb71
- SHA1
  
  6501f07c81528541bf3efd4a103d3a19d1ddbcb4
- SHA256
  
  f5e0b21161bfe9a8f8805186f8124f81e12c5430b82efdc1743b0ed343a5a4dd
- SHA512
  
  7f68c2ecdabaaa61a8a64c5a226e00161e5be35e8ca3a82453fb8e89146342e3ce2b410c222dc20a7bf0bf00b41008ab9faa689ebea4d659b5b1337205409336
- SSDEEP
  
  24576:vuMVMzHC/rDrAoD48AT9Ndd8loPwtJhUADiiB2Lln/bsOgAdjv0LZiV:vuM0HC/r11yNdCGPsPUGIngABvKU
Score

10^/10

guloader discovery downloader agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  12b140583e3273ee1f65016becea58c4
- SHA1
  
  92df24d11797fefd2e1f8d29be9dfd67c56c1ada
- SHA256
  
  014f1dfeb842cf7265a3644bc6903c592abe9049bfc7396829172d3d72c4d042
- SHA512
  
  49ffdfa1941361430b6acb3555fd3aa05e4120f28cbdf7ceaa2af5937d0b8cccd84471cf63f06f97cf203b4aa20f226bdad082e9421b8e6b62ab6e1e9fc1e68a
- SSDEEP
  
  192:gFiQJ77pJp17C8F1A5xjGNxrgFOgb7lrT/nC93:E7pJp48F2exrg5F/C
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  Imbuement.Pub
- Size
  
  512KB
- MD5
  
  cbdb7c9b2e95c4e477e6924d6498630e
- SHA1
  
  9720dcddfa5fb2e8c67e365ba952e1acde14cc88
- SHA256
  
  936f83d81811af3f4849efb2a29f86326592d2b9ffec0392ec0fb761f3184298
- SHA512
  
  53ccecbcb89763ee2db902d077c6d61e83bb460f268024849ef769eff0ec1120623bf96816c7c28458b9e3da68094af5089baf656347642e3e576eb936957605
- SSDEEP
  
  12288:igwiKVkAlw7BFGfphiOQf9lt24R3pmdDKb:tZK1lwj6pVc9lt2S3pkOb
Score

3^/10

discovery
behavioral5 behavioral6