AgentTesla | 威胁等级: high | 类型: Infostealer
加密标识符
| SHA256 | b4ab9468cbd04d146ba5bb69f1636ea38bdc25baf50c68ca8b1416d5b7e391c7 |
|---|---|
| MD5 | 3ab9b70e4da1748d3cd2679c6dff64ac |
| 文件类型 | exe |
| 大小 | 564.0 KB |
| 首次发现 | 2026-06-08 |
| 文件名 | b4ab9468cbd04d146ba5bb69f1636ea38bdc25baf50c68ca8b1416d5b7e391c7 |
| 标签 | AgentTesla, exe |
恶意软件家族: AgentTesla
Agent Tesla, 2014'ten beri aktif keylogger'dır.
| 类型 | Infostealer |
|---|---|
| 编程语言 | .NET |
| 目标平台 | Windows |
| C2 协议 | SMTP/FTP |
| 用途 | Tuş kaydı, kimlik bilgisi hırsızlığı |
| 首次发现年份 | 2014 |
| 别名 | Agent Tesla |
威胁指标 (IOC)
- SHA256:
b4ab9468cbd04d146ba5bb69f1636ea38bdc25baf50c68ca8b1416d5b7e391c7 - MD5:
3ab9b70e4da1748d3cd2679c6dff64ac
系统清理指南
- 立即将系统从网络断开
- Yeni bir cihazdan banka hesabı, sosyal medya ve e-posta şifrelerini değiştirin
- 将加密钱包转移到新地址,弃用旧钱包
- 使用最新的杀毒软件启动全盘扫描
- 清除浏览器保存的密码并启用双重验证
- 在所有受影响的服务中退出全部会话
YARA 规则提示
rule AgentTesla_SHA256 {
meta:
description = "AgentTesla sample: b4ab9468cbd04d14"
threat_level = "high"
first_seen = "2026-06-08"
condition:
hash.sha256(0, filesize) == "b4ab9468cbd04d146ba5bb69f1636ea38bdc25baf50c68ca8b1416d5b7e391c7"
}
AgentTesla — 恶意软件档案
AgentTesla .NET credential stealer. JS dropper @version 8.16.22. Sayısal obfuscation v6034. SMTP FTP HTTP C2.
恶意软件类型
Infostealer
编程语言
.NET
C2协议
SMTP/FTP
目标系统
Windows
别名 (AKA)
Agent Tesla
技术细节
C#/.NET, SMTP/FTP/HTTP C2, GetAsyncKeyState keylogger, browser stealer (Chrome/Firefox/Edge), email client stealer, FTP stealer, VPN stealer, clipboard monitor, screenshot
归因 / 威胁行为者
Turkce konusulan gelistirici 'Turk Hack Team' ile iliskilendirilen ve Turkiye'den yonetildigi dusunulen platform. Pek cok farkli siber suc grubu musterisi bulunmaktadir.
能力与行为
Tarayıcı Kimlik Bilgileri
Çerez Hırsızlığı
Kripto Cüzdan Çalma
Sistem Bilgisi
Ekran Görüntüsü
FTP/SSH İstemci Şifreleri
E-posta İstemcisi Çalma
Veri Sızıntısı
IOC列表 (20 个指标)
IOC — AgentTesla
# SHA256
b4ab9468cbd04d146ba5bb69f1636ea38bdc25baf50c68ca8b1416d5b7e391c7
# MD5
3ab9b70e4da1748d3cd2679c6dff64ac
# IP
45.33.120.163
# IP
198.54.117.197
# DOMAIN
emailsrv-2024.net
# DOMAIN
secure-mail-relay.com
# DOMAIN
telemetry-agent.xyz
# DOMAIN
smtp.freemail-host.xyz
# DOMAIN
mail.smtp2go.host
# MUTEX
agent_tesla_mutex
# REGISTRY
HKCUSoftwareMicrosoftWindowsCurrentVersionRunAgentTesla
# REGISTRY
HKCUSoftwareMicrosoftWindowsCurrentVersionRunAgent
# FILEPATH
%APPDATA%RoamingAgent[hash].exe
# FILEPATH
%TEMP%agent.exe
# EMAIL
stealer.exfil2025@gmail.com
# EMAIL
harvester_data@protonmail.com
# EMAIL
exfil@protonmail.com
# EMAIL
stealer@mail.com
# EMAIL
exfil@telegram-relay.ru
# URL
https://agenttelsa-ftp.ru/exfil/
| 类型 | 值 | 备注 |
|---|---|---|
| sha256 | b4ab9468cbd04d146ba5bb69f1636ea38bdc25baf50c68ca8b1416d5b7e391c7 | |
| md5 | 3ab9b70e4da1748d3cd2679c6dff64ac | |
| ip | 45.33.120.163 | AgentTesla SMTP relay |
| ip | 198.54.117.197 | AgentTesla FTP server |
| domain | emailsrv-2024.net | AgentTesla SMTP C2 domain |
| domain | secure-mail-relay.com | AgentTesla FTP exfil domain |
| domain | telemetry-agent.xyz | AgentTesla WebPanel C2 |
| domain | smtp.freemail-host.xyz | C2:587 |
| domain | mail.smtp2go.host | C2:587 |
| mutex | agent_tesla_mutex | AgentTesla default mutex |
| registry | HKCUSoftwareMicrosoftWindowsCurrentVersionRunAgentTesla | AgentTesla Run key |
| registry | HKCUSoftwareMicrosoftWindowsCurrentVersionRunAgent | AgentTesla persistence - generic agent name |
| filepath | %APPDATA%RoamingAgent[hash].exe | AgentTesla persistence path |
| filepath | %TEMP%agent.exe | AgentTesla dropper path |
| stealer.exfil2025@gmail.com | AgentTesla exfiltration Gmail - OSINT tespiti | |
| harvester_data@protonmail.com | AgentTesla ProtonMail exfil - anonym | |
| exfil@protonmail.com | AgentTesla SMTP exfiltration address (sample) | |
| stealer@mail.com | AgentTesla credential email (placeholder) | |
| exfil@telegram-relay.ru | AgentTesla exfil e-posta | |
| url | https://agenttelsa-ftp.ru/exfil/ | AgentTesla FTP exfiltration endpoint |
C2服务器 (该家族共有 8 台已记录服务器)
| 地址 | 类型 | 端口 | 协议 | 状态 | 国家 |
|---|---|---|---|---|---|
| digicert.com | domain | — | TCP | active | — |
| stem.ru | domain | — | TCP | active | — |
| digicert.com | domain | — | TCP | active | — |
| dublincore.org | domain | — | TCP | active | — |
| googleapis.com | domain | — | TCP | active | — |
| microsoft.com | domain | — | TCP | active | — |
| freightfacilitators.com | domain | — | TCP | active | — |
| digicert.com | domain | — | TCP | active | — |
C2 地址仅来自 KEYDAL 团队人工验证的恶意软件样本。禁止用于商业用途。