agenttesla

General

Target

c90f8b71831759ad90838a68b67b6f307810193988878a021785d99930f47b08
Size

380KB
Sample

220521-clafjahahp
MD5

212c5d0d4ad690704a13f167502c622a
SHA1

5527cc7238aded5abf0e75bc5a704fcf35988eaa
SHA256

c90f8b71831759ad90838a68b67b6f307810193988878a021785d99930f47b08
SHA512

d5e97c915388d65b8ad3695a6f5141c5472a6628734accbe37127eddd82dc82abb626e8acc957d3243f7799d69be902cd6901bb78ad39e127136d76650dc4681

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.pptoursperu.com
Port:
587
Username:
[email protected]
Password:
mailppt2019-

Targets

- Target
  
  BANK DETAILS.exe
- Size
  
  414KB
- MD5
  
  e31fab9d8d4a78dd347a2386bb32349f
- SHA1
  
  c9ca9f887d9d6e9de29201e203defd6bb62458c9
- SHA256
  
  786be13603b06cce80fac1349c514e29ecd2664a51f045bc5446d2f9647087ec
- SHA512
  
  3b3cd86d0067872b0375452020ecc2e3c6a9fb34a6ec741077ae5d680494b4c96fee890c57edb4cf828cb57e035ef6f0ed6683ef8c94fb1405647e10daf8ca59
Score

10^/10

agenttesla collection coreentity evasion keylogger rezer0 spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- CoreEntity .NET Packer
  A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
  coreentity
- AgentTesla Payload
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Disables Task Manager via registry modification
  evasion
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

CoreEntity .NET Packer

AgentTesla Payload

ReZer0 packer

Disables Task Manager via registry modification

Drops file in Drivers directory

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2