agenttesla | 89d032f139fd088c071458b575b4d046a88ad4fac02965480cca608fafe21902 | Triage

Submit
Reports

Overview

overview

Static

static

PNQNR00000118.exe

windows7_x64

PNQNR00000118.exe

windows10-2004_x64

Sharing

General

Target

89d032f139fd088c071458b575b4d046a88ad4fac02965480cca608fafe21902
Size

406KB
Sample

220521-agqwlsacb2
MD5

fd3a93c686e72c0aa9cd40aa77a952c1
SHA1

934b3d6318ce048c4e8bc13eac8a50549896ab74
SHA256

89d032f139fd088c071458b575b4d046a88ad4fac02965480cca608fafe21902
SHA512

f50421b30dbae79737deabca656cd39a5967b31d764da6e49d0e3b47412d182cfc8d0785eaae27add1100e68198a15f9a92125aff7b7d56ca3f326b73df464ab

Score

10^/10

agenttesla collection evasion keylogger persistence rezer0 spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

PNQNR00000118.exe

Resource

win7-20220414-en

agenttesla collection evasion keylogger persistence rezer0 spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

PNQNR00000118.exe

Resource

win10v2004-20220414-en

agenttesla evasion keylogger persistence spyware stealer trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.microtechlab.in
Port:
587
Username:
[email protected]
Password:
pune@123

Targets

- Target
  
  PNQNR00000118.exe
- Size
  
  457KB
- MD5
  
  01bdf85fd9d60dc595da5538886183b6
- SHA1
  
  5177aaa631370a9b2eb96a96c6c21710c7992669
- SHA256
  
  64264df837360c369765793af002c3576660a16f686473b5d3d97733c10a8ecb
- SHA512
  
  3bfb8630cee7fea2d44e4ae867daa0ec75b986042a5275e871106297826f9dfe46e24ae1df9ce51e14a4632519cb60871f32dc3abd964d0495425b4bedf6a8f5
Score

10^/10

agenttesla collection evasion keylogger persistence rezer0 spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla Payload
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Disables Task Manager via registry modification
  evasion
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

agentteslacollectionevasionkeyloggerpersistencerezer0spywarestealertrojan

behavioral2

agentteslaevasionkeyloggerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy