agenttesla | 0fa01fb0c558a7999809f02fc1806196501430b1d3c54251ae3f3af4a532953b | Triage

Submit
Reports

Overview

overview

Static

static

SWIFT DOC ...79.exe

windows7_x64

SWIFT DOC ...79.exe

windows10-2004_x64

Sharing

General

Target

0fa01fb0c558a7999809f02fc1806196501430b1d3c54251ae3f3af4a532953b
Size

512KB
Sample

220520-21ljsabcgk
MD5

9f4a4801fd9029e71924b30e91748ea0
SHA1

52f927d8d236d5c25d5c8526e68c975922754939
SHA256

0fa01fb0c558a7999809f02fc1806196501430b1d3c54251ae3f3af4a532953b
SHA512

b3fb6210600c36968177731e62be807799bdd48e42368a5b87f5db395d331d70177f9077d9e9dbcb3ce75db6db8a20838754ed68e99494b09758a72848015682

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

SWIFT DOC _679388 TT 190617_2019-NLCIV000003576_ES146009_30309679.exe

Resource

win7-20220414-en

agenttesla collection keylogger persistence spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

SWIFT DOC _679388 TT 190617_2019-NLCIV000003576_ES146009_30309679.exe

Resource

win10v2004-20220414-en

agenttesla collection keylogger persistence spyware stealer trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.connectus-trade.net/
Port:
21
Username:
[email protected]
Password:
o^Z0CIU?^yL2

Protocol: ftp
Host:
ftp://ftp.connectus-trade.net/
Port:
21
Username:
[email protected]
Password:
o^Z0CIU?^yL2

Targets

- Target
  
  SWIFT DOC _679388 TT 190617_2019-NLCIV000003576_ES146009_30309679.exe
- Size
  
  580KB
- MD5
  
  256b58fb7dd3bb1e36833d133c7ba419
- SHA1
  
  18bbcd5c4d013e462ae3eaee2e8288544ecf3355
- SHA256
  
  ab1a433953a0fc6ef7159d5eec3d6fa8cc97fff695cd51ab9a5bb9aef4e857f8
- SHA512
  
  447dff71be288ddf00f894e0ded5363529cc316ab8bec654bc9d65a87a554b6297ed6ce3cd1f6ec7d190a361a475807ad80ce2393505b29f677aa00e7453b177
Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla Payload
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

agentteslacollectionkeyloggerpersistencespywarestealertrojan

behavioral2

agentteslacollectionkeyloggerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy