agenttesla

General

Target

b2e883d87fa1f254b672219863556f3b84459e173b45d544025b8223f611d953
Size

388KB
Sample

220521-b1h6jscgf3
MD5

46d6edcb1784e19ed01d5e618d8ff0df
SHA1

a0cd996e359589ea7260ddb79a24ad16dabd9886
SHA256

b2e883d87fa1f254b672219863556f3b84459e173b45d544025b8223f611d953
SHA512

6b7b9276c98aced30d0b9222ad32f42d7dc71c2fb1efb5adef354157af90e4138336d1e19042052d4b3887319926be63d328cd4c70e8a4bd472c8dd33c69942b

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.pptoursperu.com
Port:
587
Username:
[email protected]
Password:
mailppt2019-

Targets

- Target
  
  PMR#RFQ_PRICE.exe
- Size
  
  470KB
- MD5
  
  564e463d0cbe16ecccae36838683debe
- SHA1
  
  3b6e76c28b673fcc8d2378e9ae3ee7944ad9fc1c
- SHA256
  
  9fb0d4a6cb16d10fc8c584647a21530ec375abf85b5a48d7d7578ebe6dc36f27
- SHA512
  
  19c392bfc97a2cd8d6c07703ccd8c7c182a7ab5e314c60ffa086080c72f3225326648d00b990afe9ea6c7faa030d23fee85a95e32d55cb96793f6e4b13a3afdb
Score

10^/10

agenttesla collection coreentity evasion keylogger rezer0 spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- CoreEntity .NET Packer
  A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
  coreentity
- AgentTesla Payload
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Disables Task Manager via registry modification
  evasion
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

CoreEntity .NET Packer

AgentTesla Payload

ReZer0 packer

Disables Task Manager via registry modification

Drops file in Drivers directory

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2