agenttesla | 555bc41d6b7911af7ad8ca46fef4fea731de07f8feaa6964378f08ae9952ee3b | Triage

Submit
Reports

Overview

overview

Static

static

8

Company Bu...rd.ppt

windows7_x64

Company Bu...rd.ppt

windows10_x64

Resubmissions

24-02-2021 08:58

210224-tl28w92rna 10

24-02-2021 01:17

210224-zky61bvvjx 8

Sharing

General

Target

Company Business Card.ppt
Size

216KB
Sample

210224-tl28w92rna
MD5

2b3d67c54557405839996ee70857b5ec
SHA1

a0b2e584a6eb8c723a376bac76db060938bd893f
SHA256

555bc41d6b7911af7ad8ca46fef4fea731de07f8feaa6964378f08ae9952ee3b
SHA512

08b115ebb1c68468d5e7b81ca9650ae0a856c00b928eb11b34781127018f20279295f959b73bb8588ae16c53638f057d4a4ebd2252c5e73911a7d7584b6eef3c

Score

10^/10

agenttesla keylogger macro persistence spyware stealer trojan xlm

Static task

static1

Behavioral task

behavioral1

Sample

Company Business Card.ppt

Resource

win7v20201028

agenttesla keylogger persistence spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Company Business Card.ppt

Resource

win10v20201028

agenttesla keylogger persistence spyware stealer trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

agenttesla

C2

http://193.56.28.231/webpanel-nick2/inc/8c5de8c1d1501d.php

Targets

- Target
  
  Company Business Card.ppt
- Size
  
  216KB
- MD5
  
  2b3d67c54557405839996ee70857b5ec
- SHA1
  
  a0b2e584a6eb8c723a376bac76db060938bd893f
- SHA256
  
  555bc41d6b7911af7ad8ca46fef4fea731de07f8feaa6964378f08ae9952ee3b
- SHA512
  
  08b115ebb1c68468d5e7b81ca9650ae0a856c00b928eb11b34781127018f20279295f959b73bb8588ae16c53638f057d4a4ebd2252c5e73911a7d7584b6eef3c
Score

10^/10

agenttesla keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- AgentTesla Payload
- Blocklisted process makes network request
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

agentteslakeyloggerpersistencespywarestealertrojan

behavioral2

agentteslakeyloggerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy