Statik Analiz — AgentTesla | MOYEN | CVSS: 5.0

Fichier

SHA25683d1ba8f9fec5a008453b6075bd792e4a804529f1adc6bb71b676249f7b75c41
MD5c0d5bdc7114993ef7ad91a34ee7505c5
Fichier83d1ba8f9fec5a008453b6075bd792e4a804529f1adc6bb71b676249f7b75c41.ps1
Taille1,106,897 byte
TypeASCII text, with CRLF, LF line terminators
Stringler17,045

IOC

SHA25683d1ba8f9fec5a008453b6075bd792e4a804529f1adc6bb71b676249f7b75c41
MD5c0d5bdc7114993ef7ad91a34ee7505c5
BTC1bPHWaQBrX3nwZoceZxgvA6rhVSKdaC, 3Qo3HxZsVeg8L9thhZzBVBd7UMa, 3hfUZnkNnqCwcsuxFcr5sRm9tQP7wL7, 3vLpHAhkAmt5yHksSYUfCvFDw68, 3vTgnsFUntNuFxTzPBfVmMFMsAN

AgentTesla — Profil du malware

AgentTesla .NET credential stealer. JS dropper @version 8.16.22. Sayısal obfuscation v6034. SMTP FTP HTTP C2.

Type de malware
Infostealer
Langage de programmation
.NET
Protocole C2
SMTP/FTP
Systèmes ciblés
Windows
Aussi connu sous (AKA)
Agent Tesla

Détails techniques

C#/.NET, SMTP/FTP/HTTP C2, GetAsyncKeyState keylogger, browser stealer (Chrome/Firefox/Edge), email client stealer, FTP stealer, VPN stealer, clipboard monitor, screenshot

Attribution / Acteur de la menace

Turkce konusulan gelistirici 'Turk Hack Team' ile iliskilendirilen ve Turkiye'den yonetildigi dusunulen platform. Pek cok farkli siber suc grubu musterisi bulunmaktadir.

Capacités et comportement

Tarayıcı Kimlik Bilgileri
Çerez Hırsızlığı
Kripto Cüzdan Çalma
Sistem Bilgisi
Ekran Görüntüsü
FTP/SSH İstemci Şifreleri
E-posta İstemcisi Çalma
Veri Sızıntısı

Liste IOC (5 indicateurs)

IOC — AgentTesla
# 1bPHWaQBrX3nwZoceZxgvA6rhVSKdaC # 3Qo3HxZsVeg8L9thhZzBVBd7UMa # 3hfUZnkNnqCwcsuxFcr5sRm9tQP7wL7 # 3vLpHAhkAmt5yHksSYUfCvFDw68 # 3vTgnsFUntNuFxTzPBfVmMFMsAN
TypeValeurNote
1bPHWaQBrX3nwZoceZxgvA6rhVSKdaC BTC
3Qo3HxZsVeg8L9thhZzBVBd7UMa BTC
3hfUZnkNnqCwcsuxFcr5sRm9tQP7wL7 BTC
3vLpHAhkAmt5yHksSYUfCvFDw68 BTC
3vTgnsFUntNuFxTzPBfVmMFMsAN BTC

Serveurs C2 (8 serveurs enregistrés pour cette famille)

Adresse Type Port Protocole Statut Pays
digicert.com domain — TCP active —
stem.ru domain — TCP active —
digicert.com domain — TCP active —
dublincore.org domain — TCP active —
googleapis.com domain — TCP active —
microsoft.com domain — TCP active —
freightfacilitators.com domain — TCP active —
digicert.com domain — TCP active —

Les adresses C2 proviennent uniquement d'échantillons de malwares vérifiés manuellement par l'équipe KEYDAL. Toute utilisation commerciale est interdite.

Tags
AgentTeslamalwarestatik-analizIOC