agenttesla | 5d7566ee48f7c1525a1d0e5cf2e5463929d7ad9fe55519acec2a4fcb19507f7e | Triage

Submit
Reports

Overview

overview

Static

static

Picture.exe

windows7_x64

Picture.exe

windows10_x64

Sharing

General

Target

Picture.exe
Size

918KB
Sample

210727-jyxyr89dys
MD5

cf43b0fc3cf4393bb542bd212a1af029
SHA1

44ff1cbf0831d6176bd6e98a46f354800e9d09d0
SHA256

5d7566ee48f7c1525a1d0e5cf2e5463929d7ad9fe55519acec2a4fcb19507f7e
SHA512

5279f393b145d8a4b0672ce5f75f8f777919e0b82ff3a7c3637e5753194fbbd4ace3a173e77d670ad7ab7f0d3cf5a33b65a3bb047cb16349178aea137382e04c

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

Picture.exe

Resource

win7v20210410

agenttesla keylogger persistence spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Picture.exe

Resource

win10v20210410

agenttesla keylogger persistence spyware stealer trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot1802838691:AAHG-LDFE4ym6sqdeNCoNwT9JyuuNVsehko/sendDocument

Targets

- Target
  
  Picture.exe
- Size
  
  918KB
- MD5
  
  cf43b0fc3cf4393bb542bd212a1af029
- SHA1
  
  44ff1cbf0831d6176bd6e98a46f354800e9d09d0
- SHA256
  
  5d7566ee48f7c1525a1d0e5cf2e5463929d7ad9fe55519acec2a4fcb19507f7e
- SHA512
  
  5279f393b145d8a4b0672ce5f75f8f777919e0b82ff3a7c3637e5753194fbbd4ace3a173e77d670ad7ab7f0d3cf5a33b65a3bb047cb16349178aea137382e04c
Score

10^/10

agenttesla keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Modifies system executable filetype association
  persistence
- AgentTesla Payload
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

agentteslakeyloggerpersistencespywarestealertrojan

behavioral2

agentteslakeyloggerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy