agenttesla

General

Target

9665879c5c26c6bce2c05c977f91dad5a19188059b4f380bec54a380f9f7c9c4.exe
Size

796KB
Sample

240701-pl6vysvdqn
MD5

ffd403a9e8f8342fc37865b623a25c15
SHA1

1bd6ec07290ad0f7e78c81d118d3286c6b2def91
SHA256

9665879c5c26c6bce2c05c977f91dad5a19188059b4f380bec54a380f9f7c9c4
SHA512

0ddaddc190ffbe76a867dbd6ede6449748894de7fee2be1c039624d96a8d938505375af5872dddf1b1f20f70bbdcec195a573d8d7b689d9fc88699fb956406f8
SSDEEP

24576:ipbzMtl7fAwDXHcmj12f1E6Hn8A4dEztQPm:iZAtVAwr8mEfq6H9KEeP

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.jeepcommerce.rs
Port:
21
Username:
[email protected]
Password:
bL&q9JeQmSE)

Targets

- Target
  
  9665879c5c26c6bce2c05c977f91dad5a19188059b4f380bec54a380f9f7c9c4.exe
- Size
  
  796KB
- MD5
  
  ffd403a9e8f8342fc37865b623a25c15
- SHA1
  
  1bd6ec07290ad0f7e78c81d118d3286c6b2def91
- SHA256
  
  9665879c5c26c6bce2c05c977f91dad5a19188059b4f380bec54a380f9f7c9c4
- SHA512
  
  0ddaddc190ffbe76a867dbd6ede6449748894de7fee2be1c039624d96a8d938505375af5872dddf1b1f20f70bbdcec195a573d8d7b689d9fc88699fb956406f8
- SSDEEP
  
  24576:ipbzMtl7fAwDXHcmj12f1E6Hn8A4dEztQPm:iZAtVAwr8mEfq6H9KEeP
Score

10^/10

agenttesla execution keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Tasks

Sharing

General

Malware Config

Extracted

Targets

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Looks up external IP address via web service

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2