agenttesla | 3368451d206d750382c2ff4c823c3a0f95952e2ce86e7fdde7b4c3e1d4d5c75b | Triage

Submit
Reports

Overview

overview

Static

static

SHIPPING D...T.xlsx

windows7_x64

SHIPPING D...T.xlsx

windows10_x64

1

Sharing

General

Target

SHIPPING DOCUMENT.xlsx
Size

587KB
Sample

210915-hx8qcsdbbj
MD5

8d888bf7f0fbf737dcb6f62f58d9c00e
SHA1

5d8acca52c259e714e4e28a9e6ea3a36f5eb108f
SHA256

3368451d206d750382c2ff4c823c3a0f95952e2ce86e7fdde7b4c3e1d4d5c75b
SHA512

ec7e95b51f72ac8182859edffe4ea68ea18d2e6c93df5ab9d850fdb63d3494fdf6eabe75c30a1ff07a5df5f99cc9eb076691fbfb70a0d84f0a16a57c9e05ab96

Score

10^/10

agenttesla keylogger spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

SHIPPING DOCUMENT.xlsx

Resource

win7v20210408

agenttesla keylogger spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

SHIPPING DOCUMENT.xlsx

Resource

win10-en

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.ccsp-india.com
Port:
587
Username:
jayamurugan@ccsp-india.com
Password:
Lkp$CcsP1008

Targets

- Target
  
  SHIPPING DOCUMENT.xlsx
- Size
  
  587KB
- MD5
  
  8d888bf7f0fbf737dcb6f62f58d9c00e
- SHA1
  
  5d8acca52c259e714e4e28a9e6ea3a36f5eb108f
- SHA256
  
  3368451d206d750382c2ff4c823c3a0f95952e2ce86e7fdde7b4c3e1d4d5c75b
- SHA512
  
  ec7e95b51f72ac8182859edffe4ea68ea18d2e6c93df5ab9d850fdb63d3494fdf6eabe75c30a1ff07a5df5f99cc9eb076691fbfb70a0d84f0a16a57c9e05ab96
Score

10^/10

agenttesla keylogger spyware stealer suricata trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- AgentTesla Payload
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Install Root Certificate

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

agentteslakeyloggerspywarestealersuricatatrojan

behavioral2

© 2018-2024

Terms | Privacy