agenttesla

General

Target

8fccab27aa3dcbb5ed5ed962f25b2c7016536aaca3f2a5b0624ae2a8ac1c54ae
Size

417KB
Sample

220521-brkm1scch9
MD5

71331cf654be64ea7bef3599880525de
SHA1

cb2921c53d7856eb9cde3dbba8ad7568f42fd387
SHA256

8fccab27aa3dcbb5ed5ed962f25b2c7016536aaca3f2a5b0624ae2a8ac1c54ae
SHA512

7d73466126e1221c16986f7a30e074b85ed0ed83153c06afac2966f82453be97586282f981867e2c102fff4ee0b60eb36b8e52c3341c168c3a466a30802cf3db

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.pptoursperu.com
Port:
587
Username:
[email protected]
Password:
mailppt2019-

Targets

- Target
  
  BANK DETAILS.exe
- Size
  
  492KB
- MD5
  
  8d51581d38bf6d814eeb107d8bb7056c
- SHA1
  
  cf22a586b7a298ab0032b20695902d43673d9c17
- SHA256
  
  1ab6018047531cee5f411099f396fb8fcdf2c8c20062e9c33118726265ccd5fb
- SHA512
  
  54588360eda1bd70c2b8da73297676d9bcbb6db0c56c49fa442308b7fdb1b2429586d9c7db5ccdcd23afc2d39fd5d2e40382faebbbe738ebdf363f13cd1cd563
Score

10^/10

agenttesla collection coreentity evasion keylogger rezer0 spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- CoreEntity .NET Packer
  A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
  coreentity
- AgentTesla Payload
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Disables Task Manager via registry modification
  evasion
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

CoreEntity .NET Packer

AgentTesla Payload

ReZer0 packer

Disables Task Manager via registry modification

Drops file in Drivers directory

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2