agenttesla | ca9705b69a492e5775f3a5131cbce6c442230f7572c21a23324b983819166154 | Triage

Submit
Reports

Overview

overview

Static

static

SIGNED AND...CE.exe

windows7_x64

SIGNED AND...CE.exe

windows10-2004_x64

Sharing

General

Target

ca9705b69a492e5775f3a5131cbce6c442230f7572c21a23324b983819166154
Size

399KB
Sample

220521-cktg1shagj
MD5

cdda222e8b2ed02b2a08889b4c1990cb
SHA1

2bc53766e453bd3b47647a6061c8d0ff518b2cbb
SHA256

ca9705b69a492e5775f3a5131cbce6c442230f7572c21a23324b983819166154
SHA512

a3080d46b5429fb30ce2616a8feb273f24c3e4fd1ae1a747a3eac1659f6e1920e9e9effeee1c66637a1e4fa43a3b31b3abc843087cac1bc97603b553854d55c4

Score

10^/10

agenttesla collection evasion keylogger persistence rezer0 spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

SIGNED AND STAMPED INVOICE.exe

Resource

win7-20220414-en

agenttesla collection evasion keylogger persistence rezer0 spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

SIGNED AND STAMPED INVOICE.exe

Resource

win10v2004-20220414-en

agenttesla evasion keylogger persistence spyware stealer trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.microtechlab.in
Port:
587
Username:
[email protected]
Password:
pune@123

Targets

- Target
  
  SIGNED AND STAMPED INVOICE.exe
- Size
  
  457KB
- MD5
  
  8c7516016e1bba2fe0e81b1792d9261e
- SHA1
  
  7d4851bad01bb5043d56ea2fb480b952cb087b84
- SHA256
  
  0b2ade3b609fe52eb27078440fe30c4983138af0a04bda84e92df8830338c9b1
- SHA512
  
  5f36c3f281f8ed5a22d6522623cef0839aebd2b6bebbbdeee068364827d11063d42656719309782843f6641687f1cfefd35b0d8d9fc03fb58a8f7b5360ada92c
Score

10^/10

agenttesla collection evasion keylogger persistence rezer0 spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla Payload
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Disables Task Manager via registry modification
  evasion
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

agentteslacollectionevasionkeyloggerpersistencerezer0spywarestealertrojan

behavioral2

agentteslaevasionkeyloggerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy