agenttesla | 289c109e239ee7570e68e8703e4c64fc45726f50766fe8b1b4d95e9073fe0b35 | Triage

Submit
Reports

Overview

overview

Static

static

SIGNED AND...CE.exe

windows7_x64

SIGNED AND...CE.exe

windows10-2004_x64

Sharing

General

Target

289c109e239ee7570e68e8703e4c64fc45726f50766fe8b1b4d95e9073fe0b35
Size

409KB
Sample

220521-bbzf8sefhj
MD5

f12c848be2624eeeb6862dbb03e30f58
SHA1

fe11835a0d6abcdda74160d34ba0ac0f9b564520
SHA256

289c109e239ee7570e68e8703e4c64fc45726f50766fe8b1b4d95e9073fe0b35
SHA512

9f74143e695e2bbd5a60445ca51c2e986f50f37ac01bac22890a0bf3d0357c26e7dddc2000cab1522efe8c766a267d4b34c2af2fdfed81f410bb602c0e9e2aed

Score

10^/10

agenttesla collection evasion keylogger persistence rezer0 spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

SIGNED AND STAMPED INVOICE.exe

Resource

win7-20220414-en

agenttesla collection evasion keylogger persistence rezer0 spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

SIGNED AND STAMPED INVOICE.exe

Resource

win10v2004-20220414-en

agenttesla evasion keylogger persistence spyware stealer trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.microtechlab.in
Port:
587
Username:
[email protected]
Password:
pune@123

Targets

- Target
  
  SIGNED AND STAMPED INVOICE.exe
- Size
  
  461KB
- MD5
  
  1319cf2f252ccac65fc3d468b487593d
- SHA1
  
  ba35e5badeaac9233605ca750849dd3ee324413a
- SHA256
  
  0843dfe5e6b3266770393c129939c4fc85db09ee36dd51696fbc711a3b556460
- SHA512
  
  025a7cb074dbb315bb9e3366cd71a1cced563a8e17143d1cdc51d20eeb0a73d374fbc1f5f044eba2edc111a2c1970654060b55f6c1c09b8331ca9e887e4561bb
Score

10^/10

agenttesla collection evasion keylogger persistence rezer0 spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla Payload
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Disables Task Manager via registry modification
  evasion
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslacollectionevasionkeyloggerpersistencerezer0spywarestealertrojan

behavioral2

agentteslaevasionkeyloggerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy