Statik Analiz — AgentTesla | ORTA | CVSS: 5.0

Dosya

SHA256a57a9d810593f48bcca6dbefa78ff9bafb479ecbffde0c6386917e379b0bdd6e
MD5a8ea9b3b7707975e279fb0cdad02d7eb
Dosyaa57a9d810593f48bcca6dbefa78ff9bafb479ecbffde0c6386917e379b0bdd6e.ps1
Boyut957,478 byte
TürASCII text, with very long lines (65449), with CRLF line terminators
Stringler41

IOC

SHA256a57a9d810593f48bcca6dbefa78ff9bafb479ecbffde0c6386917e379b0bdd6e
MD5a8ea9b3b7707975e279fb0cdad02d7eb
BTC3daesNLEFt2JGdaiD2m3QzZUBxH2, 13nRdsQjwSbZtvbDzgQG18QYDooSHCxj, 1y69bvgUQb6gwCRVdk1bC11GMtMAMshkE, 1KdneUXsu8CUPo8F4KpjjBXwrCi, 1UkoVYdd6eZr95Ld7TPcyGAXVpL2L5kCT

AgentTesla — Malware Profile

AgentTesla .NET credential stealer. JS dropper @version 8.16.22. Sayısal obfuscation v6034. SMTP FTP HTTP C2.

Malware Type
Infostealer
Programming Language
.NET
C2 Protocol
SMTP/FTP
Target Systems
Windows
Also Known As (AKA)
Agent Tesla

Technical Details

C#/.NET, SMTP/FTP/HTTP C2, GetAsyncKeyState keylogger, browser stealer (Chrome/Firefox/Edge), email client stealer, FTP stealer, VPN stealer, clipboard monitor, screenshot

Attribution / Threat Actor

Turkce konusulan gelistirici 'Turk Hack Team' ile iliskilendirilen ve Turkiye'den yonetildigi dusunulen platform. Pek cok farkli siber suc grubu musterisi bulunmaktadir.

Capabilities & Behavior

Tarayıcı Kimlik Bilgileri
Çerez Hırsızlığı
Kripto Cüzdan Çalma
Sistem Bilgisi
Ekran Görüntüsü
FTP/SSH İstemci Şifreleri
E-posta İstemcisi Çalma
Veri Sızıntısı

IOC List (5 indicators)

IOC — AgentTesla
# 3daesNLEFt2JGdaiD2m3QzZUBxH2 # 13nRdsQjwSbZtvbDzgQG18QYDooSHCxj # 1y69bvgUQb6gwCRVdk1bC11GMtMAMshkE # 1KdneUXsu8CUPo8F4KpjjBXwrCi # 1UkoVYdd6eZr95Ld7TPcyGAXVpL2L5kCT
TypeValueNote
3daesNLEFt2JGdaiD2m3QzZUBxH2 BTC
13nRdsQjwSbZtvbDzgQG18QYDooSHCxj BTC
1y69bvgUQb6gwCRVdk1bC11GMtMAMshkE BTC
1KdneUXsu8CUPo8F4KpjjBXwrCi BTC
1UkoVYdd6eZr95Ld7TPcyGAXVpL2L5kCT BTC

C2 Servers (8 recorded servers for this family)

Address Type Port Protocol Status Country
digicert.com domain — TCP active —
stem.ru domain — TCP active —
digicert.com domain — TCP active —
system.io domain — TCP active —
dublincore.org domain — TCP active —
system.io domain — TCP active —
system.io domain — TCP active —
googleapis.com domain — TCP active —

C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.

Tags
AgentTeslamalwarestatik-analizIOC