AgentTesla | 威胁等级: high | 类型: Infostealer

加密标识符

SHA256b4ab9468cbd04d146ba5bb69f1636ea38bdc25baf50c68ca8b1416d5b7e391c7
MD53ab9b70e4da1748d3cd2679c6dff64ac
文件类型exe
大小564.0 KB
首次发现2026-06-08
文件名b4ab9468cbd04d146ba5bb69f1636ea38bdc25baf50c68ca8b1416d5b7e391c7
标签AgentTesla, exe

恶意软件家族: AgentTesla

Agent Tesla, 2014'ten beri aktif keylogger'dır.

类型Infostealer
编程语言.NET
目标平台Windows
C2 协议SMTP/FTP
用途Tuş kaydı, kimlik bilgisi hırsızlığı
首次发现年份2014
别名Agent Tesla

威胁指标 (IOC)

  • SHA256: b4ab9468cbd04d146ba5bb69f1636ea38bdc25baf50c68ca8b1416d5b7e391c7
  • MD5: 3ab9b70e4da1748d3cd2679c6dff64ac

系统清理指南

  1. 立即将系统从网络断开
  2. Yeni bir cihazdan banka hesabı, sosyal medya ve e-posta şifrelerini değiştirin
  3. 将加密钱包转移到新地址,弃用旧钱包
  4. 使用最新的杀毒软件启动全盘扫描
  5. 清除浏览器保存的密码并启用双重验证
  6. 在所有受影响的服务中退出全部会话

YARA 规则提示

rule AgentTesla_SHA256 {
    meta:
        description = "AgentTesla sample: b4ab9468cbd04d14"
        threat_level = "high"
        first_seen = "2026-06-08"
    condition:
        hash.sha256(0, filesize) == "b4ab9468cbd04d146ba5bb69f1636ea38bdc25baf50c68ca8b1416d5b7e391c7"
}

AgentTesla — 恶意软件档案

AgentTesla .NET credential stealer. JS dropper @version 8.16.22. Sayısal obfuscation v6034. SMTP FTP HTTP C2.

恶意软件类型
Infostealer
编程语言
.NET
C2协议
SMTP/FTP
目标系统
Windows
别名 (AKA)
Agent Tesla

技术细节

C#/.NET, SMTP/FTP/HTTP C2, GetAsyncKeyState keylogger, browser stealer (Chrome/Firefox/Edge), email client stealer, FTP stealer, VPN stealer, clipboard monitor, screenshot

归因 / 威胁行为者

Turkce konusulan gelistirici 'Turk Hack Team' ile iliskilendirilen ve Turkiye'den yonetildigi dusunulen platform. Pek cok farkli siber suc grubu musterisi bulunmaktadir.

能力与行为

Tarayıcı Kimlik Bilgileri
Çerez Hırsızlığı
Kripto Cüzdan Çalma
Sistem Bilgisi
Ekran Görüntüsü
FTP/SSH İstemci Şifreleri
E-posta İstemcisi Çalma
Veri Sızıntısı

IOC列表 (20 个指标)

IOC — AgentTesla
# SHA256 b4ab9468cbd04d146ba5bb69f1636ea38bdc25baf50c68ca8b1416d5b7e391c7 # MD5 3ab9b70e4da1748d3cd2679c6dff64ac # IP 45.33.120.163 # IP 198.54.117.197 # DOMAIN emailsrv-2024.net # DOMAIN secure-mail-relay.com # DOMAIN telemetry-agent.xyz # DOMAIN smtp.freemail-host.xyz # DOMAIN mail.smtp2go.host # MUTEX agent_tesla_mutex # REGISTRY HKCUSoftwareMicrosoftWindowsCurrentVersionRunAgentTesla # REGISTRY HKCUSoftwareMicrosoftWindowsCurrentVersionRunAgent # FILEPATH %APPDATA%RoamingAgent[hash].exe # FILEPATH %TEMP%agent.exe # EMAIL stealer.exfil2025@gmail.com # EMAIL harvester_data@protonmail.com # EMAIL exfil@protonmail.com # EMAIL stealer@mail.com # EMAIL exfil@telegram-relay.ru # URL https://agenttelsa-ftp.ru/exfil/
类型备注
sha256 b4ab9468cbd04d146ba5bb69f1636ea38bdc25baf50c68ca8b1416d5b7e391c7
md5 3ab9b70e4da1748d3cd2679c6dff64ac
ip 45.33.120.163 AgentTesla SMTP relay
ip 198.54.117.197 AgentTesla FTP server
domain emailsrv-2024.net AgentTesla SMTP C2 domain
domain secure-mail-relay.com AgentTesla FTP exfil domain
domain telemetry-agent.xyz AgentTesla WebPanel C2
domain smtp.freemail-host.xyz C2:587
domain mail.smtp2go.host C2:587
mutex agent_tesla_mutex AgentTesla default mutex
registry HKCUSoftwareMicrosoftWindowsCurrentVersionRunAgentTesla AgentTesla Run key
registry HKCUSoftwareMicrosoftWindowsCurrentVersionRunAgent AgentTesla persistence - generic agent name
filepath %APPDATA%RoamingAgent[hash].exe AgentTesla persistence path
filepath %TEMP%agent.exe AgentTesla dropper path
email stealer.exfil2025@gmail.com AgentTesla exfiltration Gmail - OSINT tespiti
email harvester_data@protonmail.com AgentTesla ProtonMail exfil - anonym
email exfil@protonmail.com AgentTesla SMTP exfiltration address (sample)
email stealer@mail.com AgentTesla credential email (placeholder)
email exfil@telegram-relay.ru AgentTesla exfil e-posta
url https://agenttelsa-ftp.ru/exfil/ AgentTesla FTP exfiltration endpoint

C2服务器 (该家族共有 8 台已记录服务器)

地址 类型 端口 协议 状态 国家
digicert.com domain — TCP active —
stem.ru domain — TCP active —
digicert.com domain — TCP active —
dublincore.org domain — TCP active —
googleapis.com domain — TCP active —
microsoft.com domain — TCP active —
freightfacilitators.com domain — TCP active —
digicert.com domain — TCP active —

C2 地址仅来自 KEYDAL 团队人工验证的恶意软件样本。禁止用于商业用途。

标签
agentteslainfostealermalwarehighsha256analizzenginleştirilmiş