Statik Analiz — AgentTesla | MOYEN | CVSS: 5.0

Fichier

SHA256a42d554e7575ddd5173c8fb039b5dd3b5310dbcaeec680c0506203515320715a
MD5684c82aad3bf24d4d682d1933eeb7d2c
Fichiera42d554e7575ddd5173c8fb039b5dd3b5310dbcaeec680c0506203515320715a.ps1
Taille1,059,162 byte
TypeASCII text, with CRLF, LF line terminators
Stringler16,333

IOC

SHA256a42d554e7575ddd5173c8fb039b5dd3b5310dbcaeec680c0506203515320715a
MD5684c82aad3bf24d4d682d1933eeb7d2c
BTC3AxtJ2mcsMzF8JQHw3v8JquqPbJB, 3Arc8T4mE21ZqyQcr6y85dMyFitd1YgJ, 128i1jn92dQDtxAxVqzh792jBr, 1dk2gZhhmW76mpTUsj1E7THe3M, 1Da34WPiQuMQX1EwaALXL24xLYm

AgentTesla — Profil du malware

AgentTesla .NET credential stealer. JS dropper @version 8.16.22. Sayısal obfuscation v6034. SMTP FTP HTTP C2.

Type de malware
Infostealer
Langage de programmation
.NET
Protocole C2
SMTP/FTP
Systèmes ciblés
Windows
Aussi connu sous (AKA)
Agent Tesla

Détails techniques

C#/.NET, SMTP/FTP/HTTP C2, GetAsyncKeyState keylogger, browser stealer (Chrome/Firefox/Edge), email client stealer, FTP stealer, VPN stealer, clipboard monitor, screenshot

Attribution / Acteur de la menace

Turkce konusulan gelistirici 'Turk Hack Team' ile iliskilendirilen ve Turkiye'den yonetildigi dusunulen platform. Pek cok farkli siber suc grubu musterisi bulunmaktadir.

Capacités et comportement

Tarayıcı Kimlik Bilgileri
Çerez Hırsızlığı
Kripto Cüzdan Çalma
Sistem Bilgisi
Ekran Görüntüsü
FTP/SSH İstemci Şifreleri
E-posta İstemcisi Çalma
Veri Sızıntısı

Liste IOC (5 indicateurs)

IOC — AgentTesla
# 3AxtJ2mcsMzF8JQHw3v8JquqPbJB # 3Arc8T4mE21ZqyQcr6y85dMyFitd1YgJ # 128i1jn92dQDtxAxVqzh792jBr # 1dk2gZhhmW76mpTUsj1E7THe3M # 1Da34WPiQuMQX1EwaALXL24xLYm
TypeValeurNote
3AxtJ2mcsMzF8JQHw3v8JquqPbJB BTC
3Arc8T4mE21ZqyQcr6y85dMyFitd1YgJ BTC
128i1jn92dQDtxAxVqzh792jBr BTC
1dk2gZhhmW76mpTUsj1E7THe3M BTC
1Da34WPiQuMQX1EwaALXL24xLYm BTC

Serveurs C2 (8 serveurs enregistrés pour cette famille)

Adresse Type Port Protocole Statut Pays
digicert.com domain — TCP active —
stem.ru domain — TCP active —
digicert.com domain — TCP active —
dublincore.org domain — TCP active —
googleapis.com domain — TCP active —
microsoft.com domain — TCP active —
freightfacilitators.com domain — TCP active —
digicert.com domain — TCP active —

Les adresses C2 proviennent uniquement d'échantillons de malwares vérifiés manuellement par l'équipe KEYDAL. Toute utilisation commerciale est interdite.

Tags
AgentTeslamalwarestatik-analizIOC