agenttesla

General

Target

9b3c208aa85512eec82a737a073965e8.exe
Size

700KB
Sample

250423-kagz8swmv2
MD5

9b3c208aa85512eec82a737a073965e8
SHA1

7e548d758f5041e07007b9f2ca735de675d68686
SHA256

88d86232f29100795de49ec32dcfcd35ab34d6b7e1b1a61ecf33c4dc56e60a71
SHA512

0acfc3312c61d354163999087d6c2e754cc2c48fcce331283adcb73eaf6a30b353a559fcb1770e96bfc667401b5e9df7cf5a681db7f2cf315f0eb47fa07c800e
SSDEEP

12288:XT/rmFskovjlnpLJBUt9oMbBBDNnrkaCRUgU6gZaPTXVL:XTD3TL8t1hFMUHMPJL

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.concaribe.com
Port:
21
Username:
[email protected]
Password:
ro}UWgz#!38E

Targets

- Target
  
  9b3c208aa85512eec82a737a073965e8.exe
- Size
  
  700KB
- MD5
  
  9b3c208aa85512eec82a737a073965e8
- SHA1
  
  7e548d758f5041e07007b9f2ca735de675d68686
- SHA256
  
  88d86232f29100795de49ec32dcfcd35ab34d6b7e1b1a61ecf33c4dc56e60a71
- SHA512
  
  0acfc3312c61d354163999087d6c2e754cc2c48fcce331283adcb73eaf6a30b353a559fcb1770e96bfc667401b5e9df7cf5a681db7f2cf315f0eb47fa07c800e
- SSDEEP
  
  12288:XT/rmFskovjlnpLJBUt9oMbBBDNnrkaCRUgU6gZaPTXVL:XTD3TL8t1hFMUHMPJL
Score

10^/10

agenttesla guloader discovery downloader keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  6e55a6e7c3fdbd244042eb15cb1ec739
- SHA1
  
  070ea80e2192abc42f358d47b276990b5fa285a9
- SHA256
  
  acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
- SHA512
  
  2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35
- SSDEEP
  
  192:MenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XBaIwL:M8+Qlt70Fj/lQRY/9VjjgL
Score

3^/10

discovery
behavioral3 behavioral4