agenttesla | 0d2f730e4b147a8413e4d9c85a4d73533b170c307797c08dacfa16504976be19 | Triage

Submit
Reports

Overview

overview

Static

static

swift comf...on.exe

windows7_x64

swift comf...on.exe

windows10-2004_x64

Sharing

General

Target

0d2f730e4b147a8413e4d9c85a4d73533b170c307797c08dacfa16504976be19
Size

595KB
Sample

220520-2n5f5aagcm
MD5

2b000c8b0fe26716d318806b04328657
SHA1

1af72746e0450bb8a658fafab4d47ccc9a954fe0
SHA256

0d2f730e4b147a8413e4d9c85a4d73533b170c307797c08dacfa16504976be19
SHA512

c5b20b8b2ff15ab58e478c6e2fa60d20200a5ff43e372a98fd6966c5b9b9376a3b8e51a9bea47a659a6905d04ff59132b24c37e330275e111f01ef191269cbc5

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

swift comfirmation.exe

Resource

win7-20220414-en

agenttesla collection keylogger persistence spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

swift comfirmation.exe

Resource

win10v2004-20220414-en

agenttesla collection keylogger persistence spyware stealer trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.uwcelectric.com
Port:
587
Username:
[email protected]
Password:
TYT#ikd1

Targets

- Target
  
  swift comfirmation.exe
- Size
  
  647KB
- MD5
  
  910bc85e248fa7e2794e3d2469d3b94d
- SHA1
  
  09e4a1102f7df7a21f22bfc02f9649918db1f60d
- SHA256
  
  205034fed0edd3c5d8069c63783b3cfdeba86816e6f1f5f6899add096d482bff
- SHA512
  
  45bec61009a8bb18b860ac3086e94c3794fe353c85180e38ccb86b81c9f05137afb9fad605ea4ecbf3f60b84f20e17d11cafb430a13cb4c4e34c648677924dac
Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla Payload
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

agentteslacollectionkeyloggerpersistencespywarestealertrojan

behavioral2

agentteslacollectionkeyloggerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy