agenttesla | 2259e5a115cf67489d19d8a0076f1a86c2e9066483ad36a5036ca5d2e5b1f715

Analysis

Target

lav.exe
Size

278KB
MD5

3733b384bb81dce1bc7758cc1ac74f22
SHA1

ae925d7653d0a9726c11eef634d5fcf46ac7c90d
SHA256

2259e5a115cf67489d19d8a0076f1a86c2e9066483ad36a5036ca5d2e5b1f715
SHA512

1f552dc6c4ccd94fb3dacf54e7c1ab406dab2ba139b378e17f090dfea5796f0c37dc02b0ec0f7c4b26a560cde665d2d1802e779c970a00a81ead89a994d834af

Score

10^/10

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
272	lav.exe
272	lav.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	272	lav.exe

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact