agenttesla | c12e031a1e589282b9d1833184ff2153a57d324a0f60c86fb6e836e7b09c43a8 | Triage

Submit
Reports

Overview

overview

Static

static

Payment-Receipt.scr

windows7_x64

Payment-Receipt.scr

windows10-2004_x64

Sharing

General

Target

c12e031a1e589282b9d1833184ff2153a57d324a0f60c86fb6e836e7b09c43a8
Size

381KB
Sample

220520-3v5k5scdhr
MD5

a0c8f2b4ef86a7d6672d0c80d369ad09
SHA1

e56e62ade322b32a38d0d7da57ca2adf402e4725
SHA256

c12e031a1e589282b9d1833184ff2153a57d324a0f60c86fb6e836e7b09c43a8
SHA512

3af5c600084bbb80207f603e472ea4f145cd581241c93588db179a4f924c47d65c0580ecd556afa17cda7b1e20a0770828774acb8898df5d62bd66b81d531b2a

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

Payment-Receipt.scr

Resource

win7-20220414-en

agenttesla collection keylogger persistence spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Payment-Receipt.scr

Resource

win10v2004-20220414-en

agenttesla collection keylogger persistence spyware stealer trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  Payment-Receipt.scr
- Size
  
  547KB
- MD5
  
  d878c38dcae8eb7855f194b29fde64e3
- SHA1
  
  a3c6e85f4ec15bffbdf1523564816d93e447a56b
- SHA256
  
  7fc2806d0821e5367c81773db3f59020ca283312b9975ef3ee19c139af0a4d69
- SHA512
  
  8ffa3435a879bf396a0e9482d8a14675e627b61256e49d12f29fe99cd0cf55718c3b807a033068c07a09e6188f30f6f4903a15e5310f1d5b17db45f12e73fcee
Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla Payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslacollectionkeyloggerpersistencespywarestealertrojan

behavioral2

agentteslacollectionkeyloggerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy