agenttesla | 53afdc78b9ae97f2130dbda12deff6f86d32504dec7ad771d9e59ff9f4646b9b

Analysis

Target

ef2473d74f713671d823b00d57a88d24.exe
Size

293KB
MD5

ef2473d74f713671d823b00d57a88d24
SHA1

a85b18146400744ea5710d3ca3a8fa8d2171268c
SHA256

53afdc78b9ae97f2130dbda12deff6f86d32504dec7ad771d9e59ff9f4646b9b
SHA512

cb12cad9b5d395a7cdd9c55603568a5a9f6d4ef9f6375bb14c4b2b2fcb5fc94a608292e0bae845cffe58e531b303873369ee52a6f12f32e9d3683a05cbe9bffc

Score

10^/10

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3768	ef2473d74f713671d823b00d57a88d24.exe
3768	ef2473d74f713671d823b00d57a88d24.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3768	ef2473d74f713671d823b00d57a88d24.exe

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact