agenttesla | 9da3f3e0eb77d090aae39e7df9c2e5a0243d0f4cd26c7a7ed0831bafde6e9fe6 | Triage

Submit
Reports

Overview

overview

Static

static

3

PO 5002407962.exe

windows7-x64

PO 5002407962.exe

windows10-2004-x64

Sharing

General

Target

9da3f3e0eb77d090aae39e7df9c2e5a0243d0f4cd26c7a7ed0831bafde6e9fe6.tar
Size

615KB
Sample

240629-b2tcxa1dkq
MD5

573b8c0a2ca6ca5946a228ec4fdb0c81
SHA1

787b5f4a56ab950d0d53341733a59f3438844246
SHA256

9da3f3e0eb77d090aae39e7df9c2e5a0243d0f4cd26c7a7ed0831bafde6e9fe6
SHA512

447255110783194e3142ec10388d2b05376e4be7d06a30338a354bc8551c2e3c7cc52df6a5cd9401d7d41df9864d37071a9ed5bcc8179168f172a9f271f7913f
SSDEEP

12288:qb3RdVPvbTp3yondB5J6mG3fW+WcfQuktNa6Pnu5DgPQIWv4CJ+e:OjMondLJ6m2WcQuSs6PnHYIY4i

Score

10^/10

agenttesla keylogger spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

PO 5002407962.exe

Resource

win7-20240221-en

agenttesla keylogger spyware stealer trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

PO 5002407962.exe

Resource

win10v2004-20240508-en

agenttesla keylogger spyware stealer trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.ercolina-usa.com
Port:
21
Username:
[email protected]
Password:
,%EVY$JU0=lu

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.ercolina-usa.com
Port:
21
Username:
[email protected]
Password:
,%EVY$JU0=lu

Targets

- Target
  
  PO 5002407962.exe
- Size
  
  1.2MB
- MD5
  
  aec18c694fce000f07ae7dc56653bff0
- SHA1
  
  840635306bec9a2ec62d9c12fd19eece134878cf
- SHA256
  
  82e145d3a3699341fd1baab548a2327fa87e642e7734b8b12121f24e072ec9d9
- SHA512
  
  cbb1849e23bb055ef059ad1b5c32823edc2fc52151a9d55a0c1f84a381687b8717175f00e39fbbdbf3b1fc4cd8341b56f492fc218202f8e9e9a7f4211d014ef7
- SSDEEP
  
  12288:eARmQ3lR3IYGg0RAbueIKU41eksRz+goaoxmQa3/tYCSbD/PxN:3Z5GTRAqVUeksRzjojG3SCUD/
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect packed .NET executables. Mostly AgentTeslaV4.
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
- Detects executables packed with or use KoiVM
- Detects executables referencing Windows vault credential objects. Observed in infostealers
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- Detects executables referencing many file transfer clients. Observed in information stealers
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

agentteslakeyloggerspywarestealertrojan

behavioral2

agentteslakeyloggerspywarestealertrojan

© 2018-2024

Terms | Privacy