agenttesla | f6b969be87ff04be7afa8ebb789d8867356700537c3ca7cc8f64d2a587c0c0d6 | Triage

Submit
Reports

Overview

overview

Static

static

b1954d6c1f...29.exe

windows7_x64

b1954d6c1f...29.exe

windows10_x64

Sharing

General

Target

b1954d6c1f249601ce6c562f6258ab29.exe
Size

1.2MB
Sample

210723-qym6kqp4sj
MD5

b1954d6c1f249601ce6c562f6258ab29
SHA1

f14797cd7a1d5c93e0acaab9ae808447c7d49646
SHA256

f6b969be87ff04be7afa8ebb789d8867356700537c3ca7cc8f64d2a587c0c0d6
SHA512

d7621ea34a49d9c3ca1e3ddd542a8e2e7115408b5959dbfc0a0525a6ebe83d70a363f4cf8ce9bec40fc51462bd9b986e9e51825f379c0e915b42ce2f4114a579

Score

10^/10

agenttesla warzonerat infostealer keylogger persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

b1954d6c1f249601ce6c562f6258ab29.exe

Resource

win7v20210410

agenttesla warzonerat infostealer keylogger persistence rat spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

b1954d6c1f249601ce6c562f6258ab29.exe

Resource

win10v20210408

agenttesla warzonerat infostealer keylogger persistence rat spyware stealer trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

warzonerat

C2

ghjklhgteg.strangled.net:6703

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot1846829589:AAHSsEDTKvDOQ17YrNRY5_FXv5z4mpfGRIc/sendDocument

Targets

- Target
  
  b1954d6c1f249601ce6c562f6258ab29.exe
- Size
  
  1.2MB
- MD5
  
  b1954d6c1f249601ce6c562f6258ab29
- SHA1
  
  f14797cd7a1d5c93e0acaab9ae808447c7d49646
- SHA256
  
  f6b969be87ff04be7afa8ebb789d8867356700537c3ca7cc8f64d2a587c0c0d6
- SHA512
  
  d7621ea34a49d9c3ca1e3ddd542a8e2e7115408b5959dbfc0a0525a6ebe83d70a363f4cf8ce9bec40fc51462bd9b986e9e51825f379c0e915b42ce2f4114a579
Score

10^/10

agenttesla warzonerat infostealer keylogger persistence rat spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- AgentTesla Payload
- Downloads MZ/PE file
- Executes dropped EXE
- Sets DLL path for service in the registry
  persistence
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Modifies WinLogon
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslawarzoneratinfostealerkeyloggerpersistenceratspywarestealertrojan

behavioral2

agentteslawarzoneratinfostealerkeyloggerpersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy