Statik Analiz — AgentTesla | MOYEN | CVSS: 5.0

Fichier

SHA256555fdbe80f61af5e6f5a3183635d85a077d002d247160eb2c59c68557d54d5d3
MD581ab69f8b16bd7796ef7ae0ec33ce4a4
Fichier555fdbe80f61af5e6f5a3183635d85a077d002d247160eb2c59c68557d54d5d3.ps1
Taille967,177 byte
TypeASCII text, with CRLF, LF line terminators
Stringler14,893

IOC

SHA256555fdbe80f61af5e6f5a3183635d85a077d002d247160eb2c59c68557d54d5d3
MD581ab69f8b16bd7796ef7ae0ec33ce4a4
BTC3Uumv5pAjx5mT2bj9wJSRiY1yQC, 3D2Gi9s9oJm8Y7fpTHQvTcncpnNjyQ2d, 1r65tWpcAtdmZWRHGqK12GG9mVCpPbSM7EL, 3vYwGt5ijadMLqZo2h4D4F8HoiERmMWuxy, 1523nnoKCQX3r2kCLo6CewiL4i

AgentTesla — Profil du malware

AgentTesla .NET credential stealer. JS dropper @version 8.16.22. Sayısal obfuscation v6034. SMTP FTP HTTP C2.

Type de malware
Infostealer
Langage de programmation
.NET
Protocole C2
SMTP/FTP
Systèmes ciblés
Windows
Aussi connu sous (AKA)
Agent Tesla

Détails techniques

C#/.NET, SMTP/FTP/HTTP C2, GetAsyncKeyState keylogger, browser stealer (Chrome/Firefox/Edge), email client stealer, FTP stealer, VPN stealer, clipboard monitor, screenshot

Attribution / Acteur de la menace

Turkce konusulan gelistirici 'Turk Hack Team' ile iliskilendirilen ve Turkiye'den yonetildigi dusunulen platform. Pek cok farkli siber suc grubu musterisi bulunmaktadir.

Capacités et comportement

Tarayıcı Kimlik Bilgileri
Çerez Hırsızlığı
Kripto Cüzdan Çalma
Sistem Bilgisi
Ekran Görüntüsü
FTP/SSH İstemci Şifreleri
E-posta İstemcisi Çalma
Veri Sızıntısı

Liste IOC (5 indicateurs)

IOC — AgentTesla
# 3Uumv5pAjx5mT2bj9wJSRiY1yQC # 3D2Gi9s9oJm8Y7fpTHQvTcncpnNjyQ2d # 1r65tWpcAtdmZWRHGqK12GG9mVCpPbSM7EL # 3vYwGt5ijadMLqZo2h4D4F8HoiERmMWuxy # 1523nnoKCQX3r2kCLo6CewiL4i
TypeValeurNote
3Uumv5pAjx5mT2bj9wJSRiY1yQC BTC
3D2Gi9s9oJm8Y7fpTHQvTcncpnNjyQ2d BTC
1r65tWpcAtdmZWRHGqK12GG9mVCpPbSM7EL BTC
3vYwGt5ijadMLqZo2h4D4F8HoiERmMWuxy BTC
1523nnoKCQX3r2kCLo6CewiL4i BTC

Serveurs C2 (8 serveurs enregistrés pour cette famille)

Adresse Type Port Protocole Statut Pays
digicert.com domain — TCP active —
stem.ru domain — TCP active —
digicert.com domain — TCP active —
dublincore.org domain — TCP active —
googleapis.com domain — TCP active —
microsoft.com domain — TCP active —
freightfacilitators.com domain — TCP active —
digicert.com domain — TCP active —

Les adresses C2 proviennent uniquement d'échantillons de malwares vérifiés manuellement par l'équipe KEYDAL. Toute utilisation commerciale est interdite.

Tags
AgentTeslamalwarestatik-analizIOC