agenttesla | f07fc5f31e955fb3c7fc9d9c5a7eff013b987916aa18c60c1b3ff80db344c9ab | Triage

Submit
Reports

Overview

overview

Static

static

4409RI1000...XT.exe

windows7_x64

9

4409RI1000...XT.exe

windows10_x64

Sharing

General

Target

4409RI100080 SWIFTMSG.TXT.exe
Size

458KB
Sample

211202-nqkb3sfecl
MD5

ee8a0fc4071663b4c7f8524a896b302a
SHA1

27b2da6630e2a684379ef8c16568857070a2a15c
SHA256

f07fc5f31e955fb3c7fc9d9c5a7eff013b987916aa18c60c1b3ff80db344c9ab
SHA512

a6c17a2f0046c4c8a36613f345a881c1692caec5e39b23f0aa4f8de0759cf4184a47a51d70e215021e90db64fb568c02cd9bd56961a5b390cbd56fcb8c410e58

Score

10^/10

agenttesla collection evasion keylogger persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

4409RI100080 SWIFTMSG.TXT.exe

Resource

win7-en-20211104

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

4409RI100080 SWIFTMSG.TXT.exe

Resource

win10-en-20211104

agenttesla collection evasion keylogger persistence spyware stealer trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot1338829993:AAGkgJ80sLaIYwBfp79Ps5EtdSP1XH6jBV8/sendDocument

Targets

- Target
  
  4409RI100080 SWIFTMSG.TXT.exe
- Size
  
  458KB
- MD5
  
  ee8a0fc4071663b4c7f8524a896b302a
- SHA1
  
  27b2da6630e2a684379ef8c16568857070a2a15c
- SHA256
  
  f07fc5f31e955fb3c7fc9d9c5a7eff013b987916aa18c60c1b3ff80db344c9ab
- SHA512
  
  a6c17a2f0046c4c8a36613f345a881c1692caec5e39b23f0aa4f8de0759cf4184a47a51d70e215021e90db64fb568c02cd9bd56961a5b390cbd56fcb8c410e58
Score

10^/10

evasion agenttesla collection keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla Payload
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

agentteslacollectionevasionkeyloggerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy