agenttesla | 9161bc0ac7fd107278182e5220134b057915525c78ef256713b9ef6a4ccab4b6 | Triage

Submit
Reports

Overview

overview

Static

static

8

9161bc0ac7...b6.pps

windows7_x64

9161bc0ac7...b6.pps

windows10_x64

Sharing

General

Target

9161bc0ac7fd107278182e5220134b057915525c78ef256713b9ef6a4ccab4b6
Size

83KB
Sample

210315-zyx7v56et6
MD5

43d6c3f16b3af2b31f6db8cf8702b5c8
SHA1

51a1010f9b54cb916474d288694a8255809f7843
SHA256

9161bc0ac7fd107278182e5220134b057915525c78ef256713b9ef6a4ccab4b6
SHA512

20a5cbb63445b08e08f9cc03152a2577f4e8a7f19d899c0aaac4450199305529c1d9cacacb8193b863d4d7c278dee2e32a1ee9083dccb39fb0bee42476e4238f

Score

10^/10

agenttesla evasion keylogger macro macro_on_action persistence spyware stealer trojan xlm

Static task

static1

macro xlm macro_on_action

Behavioral task

behavioral1

Sample

9161bc0ac7fd107278182e5220134b057915525c78ef256713b9ef6a4ccab4b6.pps

Resource

win7v20201028

evasion persistence trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

9161bc0ac7fd107278182e5220134b057915525c78ef256713b9ef6a4ccab4b6.pps

Resource

win10v20201028

agenttesla evasion keylogger persistence spyware stealer trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.privateemail.com
Port:
587
Username:
[email protected]
Password:
@damienzy.xyz2240

Targets

- Target
  
  9161bc0ac7fd107278182e5220134b057915525c78ef256713b9ef6a4ccab4b6
- Size
  
  83KB
- MD5
  
  43d6c3f16b3af2b31f6db8cf8702b5c8
- SHA1
  
  51a1010f9b54cb916474d288694a8255809f7843
- SHA256
  
  9161bc0ac7fd107278182e5220134b057915525c78ef256713b9ef6a4ccab4b6
- SHA512
  
  20a5cbb63445b08e08f9cc03152a2577f4e8a7f19d899c0aaac4450199305529c1d9cacacb8193b863d4d7c278dee2e32a1ee9083dccb39fb0bee42476e4238f
Score

10^/10

evasion persistence trojan agenttesla keylogger spyware stealer
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- UAC bypass
  evasion trojan
- AgentTesla Payload
- Blocklisted process makes network request
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Bypass User Account Control

Scheduled Task

Defense Evasion

Modify Registry

Disabling Security Tools

Bypass User Account Control

Install Root Certificate

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

macroxlmmacro_on_action

behavioral1

evasionpersistencetrojan

behavioral2

agentteslaevasionkeyloggerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy