agenttesla | 9519e533283ebeaacc4f04577216c2df7b8bdd0f17df36fa55c4c95469b44b39 | Triage

Submit
Reports

Overview

overview

Static

static

Norstar Ba...88.exe

windows7_x64

Norstar Ba...88.exe

windows10-2004_x64

Sharing

General

Target

9519e533283ebeaacc4f04577216c2df7b8bdd0f17df36fa55c4c95469b44b39
Size

604KB
Sample

220520-2cwpvafba6
MD5

4a1e8317834f19090658c5e6fc52ebf9
SHA1

25b35649775c60e1015b377b91a167b57891304e
SHA256

9519e533283ebeaacc4f04577216c2df7b8bdd0f17df36fa55c4c95469b44b39
SHA512

dea9bbd6cda5cc14cf10aabf92ed9b114870d682014d70af94928b0562602cc92f8e280e917489482c95ff402c805bb62a17ee95c3e57ef6cb835c9946bd56c3

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

Norstar Baltic - Q88.exe

Resource

win7-20220414-en

agenttesla collection keylogger persistence spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Norstar Baltic - Q88.exe

Resource

win10v2004-20220414-en

agenttesla collection keylogger persistence spyware stealer trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.maihyundai.com
Port:
587
Username:
[email protected]
Password:
isla44332211

Targets

- Target
  
  Norstar Baltic - Q88.exe
- Size
  
  720KB
- MD5
  
  09e36a44827320de0eb19fc0b1a91f61
- SHA1
  
  6c5c259788e531ca18fabcd5c3ed9db3f9ed8600
- SHA256
  
  f5a3632e4dc565def5e2a0e015931fd3bca1c19e1045044429bbe3912422e32b
- SHA512
  
  7a6c42a9c65cf7d8bfa5540824db07dd6cf125f85afc34833fa39cca63ac6783b06fe1ee26a2ddb0a3768c5a60b979b3719fa70d98906190ca56961c1d8525af
Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla Payload
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

agentteslacollectionkeyloggerpersistencespywarestealertrojan

behavioral2

agentteslacollectionkeyloggerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy