agenttesla | de1ec15823c3d7078339d1211ffeafd491e23c409d8d55dcc25c552beb9d3c5b | Triage

Submit
Reports

Overview

overview

Static

static

8

ABSURY CHI...46.doc

windows7_x64

ABSURY CHI...46.doc

windows10_x64

Sharing

General

Target

ABSURY CHINA PO#200929H3246.doc
Size

137KB
Sample

210311-f89sptyk12
MD5

ac33ee5032e398b9c27377762e1f7f17
SHA1

56089cc1a763cf6a078babee414ff6b9ab522a8a
SHA256

de1ec15823c3d7078339d1211ffeafd491e23c409d8d55dcc25c552beb9d3c5b
SHA512

4e883ecf884c46686dcd8ffa4392a1b549b0d3d4bbea9c3c07a9a421546168724da2e9b98030aed1bb99c6dee5f8cd8ae075bac4e14126bc7b7d1a61b3afde51

Score

10^/10

agenttesla keylogger macro spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

ABSURY CHINA PO#200929H3246.doc

Resource

win7v20201028

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

ABSURY CHINA PO#200929H3246.doc

Resource

win10v20201028

agenttesla keylogger spyware stealer trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://bit.ly/3cnqYgk

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.rdnsanom.xyz
Port:
587
Username:
[email protected]
Password:
O?qr3+lOv9j_

Targets

- Target
  
  ABSURY CHINA PO#200929H3246.doc
- Size
  
  137KB
- MD5
  
  ac33ee5032e398b9c27377762e1f7f17
- SHA1
  
  56089cc1a763cf6a078babee414ff6b9ab522a8a
- SHA256
  
  de1ec15823c3d7078339d1211ffeafd491e23c409d8d55dcc25c552beb9d3c5b
- SHA512
  
  4e883ecf884c46686dcd8ffa4392a1b549b0d3d4bbea9c3c07a9a421546168724da2e9b98030aed1bb99c6dee5f8cd8ae075bac4e14126bc7b7d1a61b3afde51
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- AgentTesla Payload
- Beds Protector Packer
  Detects Beds Protector packer used to load .NET malware.
- Blocklisted process makes network request
- Executes dropped EXE
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

agentteslakeyloggerspywarestealertrojan

© 2018-2024

Terms | Privacy