agenttesla | a2b8a1e8ffa94d98ae7e7ddbc63662f91020d004362423a78dd1946e1fd708e8 | Triage

Submit
Reports

Overview

overview

Static

static

REMITTANCE COPY..exe

windows7_x64

REMITTANCE COPY..exe

windows10-2004_x64

Sharing

General

Target

a2b8a1e8ffa94d98ae7e7ddbc63662f91020d004362423a78dd1946e1fd708e8
Size

570KB
Sample

220521-aa8svacgdp
MD5

472e65188b50e7fddd1c144783478448
SHA1

6668dff78ec0225a1fabf7cd813d241bffa50e17
SHA256

a2b8a1e8ffa94d98ae7e7ddbc63662f91020d004362423a78dd1946e1fd708e8
SHA512

67f3b67f1436d1945e73288785cecd80a0509ebfe39a8fa536cf3ba06ad17fa724921f95d75635fd63c28a3eda3f4a6d937c6ce2f7a0aebd64af297a3929e3b1

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

REMITTANCE COPY..exe

Resource

win7-20220414-en

agenttesla collection keylogger persistence spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

REMITTANCE COPY..exe

Resource

win10v2004-20220414-en

agenttesla collection keylogger persistence spyware stealer trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.palcoman.com
Port:
587
Username:
[email protected]
Password:
GgwWVBJ5

Targets

- Target
  
  REMITTANCE COPY..exe
- Size
  
  691KB
- MD5
  
  ecd4d524988a5ad8813312e23a04c7f7
- SHA1
  
  bb748bb7e34b8ef8a506eaeb77965f2a3fddc88c
- SHA256
  
  239c9e3df55261a7c4037ac8b5693cecb72c0c5d3f832787baea8ad4f1841209
- SHA512
  
  b351e9b38e64ad14bf6c49a7fa819bfa4afba13e09825b6697e2ce32900635e0cb6d084a101dd9bde57742f5a5a9b8662d7917f391af9f35cbcb17ef472ccbe1
Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla Payload
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

agentteslacollectionkeyloggerpersistencespywarestealertrojan

behavioral2

agentteslacollectionkeyloggerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy