agenttesla | fdf939f394771c4e6a044924046b7082e87bbd2536fc2efe478bd0cc5753b2d8 | Triage

Submit
Reports

Overview

overview

Static

static

shipment document.doc

windows7_x64

shipment document.doc

windows10_x64

1

Sharing

General

Target

shipment document.doc
Size

1.9MB
Sample

210126-7z28qlcfhs
MD5

bc7f085da0717ce2b087f9743d2663d6
SHA1

c148128be910afd96d77afe815f8b3c6f41e4801
SHA256

fdf939f394771c4e6a044924046b7082e87bbd2536fc2efe478bd0cc5753b2d8
SHA512

737dded6e4ebf73f2d6948cb4e01cae47d92d178bc2f37486d65c8935a322546edb1f26c232689e09c6e77320d85999832785557554d3658b3d2844d5a9dff9c

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

shipment document.doc

Resource

win7v20201028

agenttesla keylogger persistence spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

shipment document.doc

Resource

win10v20201028

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.atulvideo.com
Port:
587
Username:
[email protected]
Password:
WR@Q]rUZ-eQ#

Targets

- Target
  
  shipment document.doc
- Size
  
  1.9MB
- MD5
  
  bc7f085da0717ce2b087f9743d2663d6
- SHA1
  
  c148128be910afd96d77afe815f8b3c6f41e4801
- SHA256
  
  fdf939f394771c4e6a044924046b7082e87bbd2536fc2efe478bd0cc5753b2d8
- SHA512
  
  737dded6e4ebf73f2d6948cb4e01cae47d92d178bc2f37486d65c8935a322546edb1f26c232689e09c6e77320d85999832785557554d3658b3d2844d5a9dff9c
Score

10^/10

agenttesla keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla Payload
- Blocklisted process makes network request
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

agentteslakeyloggerpersistencespywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy