agenttesla | 25bde167c9b953f89ef5ff0031c2cfa197eb00c94b65fd2c461e7020f85e4460 | Triage

Submit
Reports

Overview

overview

Static

static

201586.exe

windows7_x64

201586.exe

windows10_x64

Sharing

General

Target

201586.pdf.zip
Size

462KB
Sample

211019-gw38tagbgq
MD5

8d2c16e7868152fdae3c5c4204588d40
SHA1

15819f08d0746ed6b00c3a30dae89b250ccffb97
SHA256

25bde167c9b953f89ef5ff0031c2cfa197eb00c94b65fd2c461e7020f85e4460
SHA512

97cfd507426ff0747eb789a4e460ba8aceb81c20c5f5a109b4040d2c48056873f6f0594012fe9f5063706ba49f0e406443a9e17c7c7428dfd1685dbc0f3fa3c3

Score

10^/10

agenttesla agilenet collection keylogger persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

201586.exe

Resource

win7-en-20210920

agenttesla agilenet collection keylogger persistence spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

201586.exe

Resource

win10-en-20211014

agenttesla agilenet collection keylogger persistence spyware stealer trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.merchantexint.com
Port:
587
Username:
[email protected]
Password:
merW&13@

Targets

- Target
  
  201586.exe
- Size
  
  795KB
- MD5
  
  8a6465a960395e718b9489c5738a1714
- SHA1
  
  fc72045fbc8157ed4035d53f12cf36738ecad644
- SHA256
  
  fe8fd282bdc1f838ff2dad9b56b6bd615fb7f76fa69775c5afd5ee204dd007f6
- SHA512
  
  7918da056a93b0e03dd79f18fd6f6360ca945342619cee7f19329069ad9c495947de345dca6b7aaea27184574056b80ae5add6079e0f7e57f33de0121f68c7b9
Score

10^/10

agenttesla agilenet collection keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla Payload
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslaagilenetcollectionkeyloggerpersistencespywarestealertrojan

behavioral2

agentteslaagilenetcollectionkeyloggerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy