agenttesla

General

Target

40dd02a1c74b1082e1cb3ecd80fe35447f2572c0dd18155b26601659fe3a59a2
Size

2.0MB
Sample

220521-b49snsgagp
MD5

3d35c994b44adcde90d2cca592c416a7
SHA1

ce3803e25114bc9d567ec7b06ddde62c67dfa2af
SHA256

40dd02a1c74b1082e1cb3ecd80fe35447f2572c0dd18155b26601659fe3a59a2
SHA512

0aeb7565cbe6df7a4a1fc274bc469b5c01a1f98ba26729344d5f9ce1769ff16abddaba508c158c6a6ed1c54a0e89b55e3406117134c5d3b470d9869c82701bd8

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.parshavayealborz.com
Port:
587
Username:
[email protected]
Password:
P@rshava123456

Targets

- Target
  
  RFQ- PT MULYA MANDIRI NEW ORDER PO 02.27.20.doc.exe
- Size
  
  2.1MB
- MD5
  
  3200ae4f6dc2898755658b198ce4482f
- SHA1
  
  4ba054467be75935e81245d4258a4e82ce60fd59
- SHA256
  
  826f7d92ad363ef5588a9d983b76899cd45279c201e2af459a38ef034527bf06
- SHA512
  
  8fdf74582ff2f0a1c518391d17bcb478a5e564b3a2c43062d314406bdbe9116cdf673a5cdcdae31578fc0659d2f2be552cc1cacf44a4aa6d81abc03dd5477704
Score

10^/10

agenttesla evasion keylogger persistence rezer0 spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla Payload
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Disables Task Manager via registry modification
  evasion
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

AgentTesla Payload

ReZer0 packer

Disables Task Manager via registry modification

Drops file in Drivers directory

Drops startup file

Adds Run key to start application

AutoIT Executable

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2