agenttesla | b814060c8975a9b3c28ac4f26232a53569bfb40f977d9c66ce93d8965c2fdcbf | Triage

Submit
Reports

Overview

overview

Static

static

Quotation Reques.exe

windows7_x64

Quotation Reques.exe

windows10-2004_x64

Sharing

General

Target

b814060c8975a9b3c28ac4f26232a53569bfb40f977d9c66ce93d8965c2fdcbf
Size

388KB
Sample

220520-3x82cacegn
MD5

09d555bcf85799fd62c587f345954189
SHA1

fc5cf214f9dabcd6d65bebfdfbbb67f41c29c3b1
SHA256

b814060c8975a9b3c28ac4f26232a53569bfb40f977d9c66ce93d8965c2fdcbf
SHA512

03311565f25c70c70e6da19f9c49430fb99071f87969e2a904bd52b485eee7d0381bec723f6a128467cb0ac0fa18a6060409921cb3c0e85243239d432270d31b

Score

10^/10

agenttesla collection evasion keylogger persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

Quotation Reques.exe

Resource

win7-20220414-en

agenttesla collection evasion keylogger persistence spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Quotation Reques.exe

Resource

win10v2004-20220414-en

agenttesla collection evasion keylogger persistence spyware stealer trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.el-sever.com
Port:
587
Username:
[email protected]
Password:
admin123

Targets

- Target
  
  Quotation Reques.exe
- Size
  
  636KB
- MD5
  
  c2dbd23d7d1429c00ac1054a2befb929
- SHA1
  
  20c144e6919f64dad5cff37b29da1030d5044300
- SHA256
  
  ca00e2766617e6a0d743880ad74f65b035e04192914a938a6610f6fd813c6c0c
- SHA512
  
  207753698017d2761d4b1e782d8b27fda43c71fe077989f9343c773a1ddbd49bd92a2dc57fc30d30c89e017db0b3be3de614b656137069198034aba43ee0949c
Score

10^/10

agenttesla collection evasion keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- UAC bypass
  evasion trojan
- AgentTesla Payload
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Bypass User Account Control

Scheduled Task

Defense Evasion

Bypass User Account Control

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

agentteslacollectionevasionkeyloggerpersistencespywarestealertrojan

behavioral2

agentteslacollectionevasionkeyloggerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy