agenttesla | e37dfd22eb88db0869e3629b579abd3f14c6cdaae221e84aa97be7c094753c70 | Triage

Submit
Reports

Overview

overview

Static

static

overdue ac...DF.exe

windows7_x64

overdue ac...DF.exe

windows10-2004_x64

Sharing

General

Target

e37dfd22eb88db0869e3629b579abd3f14c6cdaae221e84aa97be7c094753c70
Size

409KB
Sample

220521-a9ap4aeeeq
MD5

8f82a47b21ce98fd48e4f220e40c8747
SHA1

75cddca1f101896b6a5162e34671cefdf3d8ebf1
SHA256

e37dfd22eb88db0869e3629b579abd3f14c6cdaae221e84aa97be7c094753c70
SHA512

542f1ed9514b8663e90d9e1000ad6e19578698b69c69749ad63a96b7931e639cd2dffbc8b49c152a092a3c6a9dd6622080ee4ab58d538c7c7a52c564264b9448

Score

10^/10

agenttesla collection evasion keylogger persistence rezer0 spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

overdue account letter.PDF.exe

Resource

win7-20220414-en

agenttesla collection evasion keylogger persistence rezer0 spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

overdue account letter.PDF.exe

Resource

win10v2004-20220414-en

agenttesla evasion keylogger persistence spyware stealer trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.microtechlab.in
Port:
587
Username:
[email protected]
Password:
pune@123

Targets

- Target
  
  overdue account letter.PDF.exe
- Size
  
  461KB
- MD5
  
  1319cf2f252ccac65fc3d468b487593d
- SHA1
  
  ba35e5badeaac9233605ca750849dd3ee324413a
- SHA256
  
  0843dfe5e6b3266770393c129939c4fc85db09ee36dd51696fbc711a3b556460
- SHA512
  
  025a7cb074dbb315bb9e3366cd71a1cced563a8e17143d1cdc51d20eeb0a73d374fbc1f5f044eba2edc111a2c1970654060b55f6c1c09b8331ca9e887e4561bb
Score

10^/10

agenttesla collection evasion keylogger persistence rezer0 spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla Payload
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Disables Task Manager via registry modification
  evasion
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

agentteslacollectionevasionkeyloggerpersistencerezer0spywarestealertrojan

behavioral2

agentteslaevasionkeyloggerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy