agenttesla

General

Target

CMA-Inquiry DA39-RFQ-Urgent order-07820.exe
Size

952KB
Sample

200709-mrw6zw6v7n
MD5

7e8eedd86f24f4e63ed26ff677162e75
SHA1

e9a7b4c02a2f2916a3604a417af65260e33436a4
SHA256

bb44a88339e83bc2ecbd06edef1acf6c54e66c4c4922005a67c27f970f717075
SHA512

f16624dd72c63bb944d45c25c80a6ed6d8400e994e852db3879602b3107dd3e09dd7d1c5c893598f0d64f15bd98828bc7e67a48ee91943e833e13324d0d016c3

Score

10^/10

Malware Config

Extracted

Family

formbook

C2

http://www.mansiobok2.info/ns424/

Decoy

loginaccount-secure.com

roadside-web.com

lovelydays.info

mariotime.com

toursmundialrusia.com

confidentbeauty.tips

duongtinhot24h.com

wcw.info

rabatte.click

xn--2nyy10g.biz

botuzm.net

galebplast.com

mahony-diet.com

3ctoken.com

mantispeed.com

withyou-cm.com

rightwebmarketing.com

pksbarandgrill.net

systemscan12.top

velinablog.com

Targets

- Target
  
  CMA-Inquiry DA39-RFQ-Urgent order-07820.exe
- Size
  
  952KB
- MD5
  
  7e8eedd86f24f4e63ed26ff677162e75
- SHA1
  
  e9a7b4c02a2f2916a3604a417af65260e33436a4
- SHA256
  
  bb44a88339e83bc2ecbd06edef1acf6c54e66c4c4922005a67c27f970f717075
- SHA512
  
  f16624dd72c63bb944d45c25c80a6ed6d8400e994e852db3879602b3107dd3e09dd7d1c5c893598f0d64f15bd98828bc7e67a48ee91943e833e13324d0d016c3
Score

10^/10

agenttesla formbook keylogger rat spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- AgentTesla Payload
- Formbook Payload
  rat
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Formbook

AgentTesla Payload

Formbook Payload

Executes dropped EXE

Deletes itself

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2