agenttesla | b023dc5c80743dd83a5887e66274553f15d9c787a0186a949b8e3c75595a0d5f | Triage

Submit
Reports

Overview

overview

Static

static

IMG-43555_...DF.exe

windows7_x64

IMG-43555_...DF.exe

windows10-2004_x64

Sharing

General

Target

b023dc5c80743dd83a5887e66274553f15d9c787a0186a949b8e3c75595a0d5f
Size

806KB
Sample

220521-cr5hvsedd5
MD5

ebe9d567fc7e1d0e801a6fb88bc0f2b6
SHA1

110827b7dc07992c97bcbbe2e006fa4e667b24aa
SHA256

b023dc5c80743dd83a5887e66274553f15d9c787a0186a949b8e3c75595a0d5f
SHA512

d9f9035c480d75aa26ec633694f44cf39ce4939a990d021434969624279c30c043f6a28703403536a75de8e01e92a7dc418ed819a5d3ffe6a5377da651ee0ee1

Score

10^/10

agenttesla collection evasion keylogger spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

IMG-43555_UTR 34444_PDF.exe

Resource

win7-20220414-en

agenttesla collection evasion keylogger spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

IMG-43555_UTR 34444_PDF.exe

Resource

win10v2004-20220414-en

agenttesla collection evasion keylogger spyware stealer trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.urban.co.th
Port:
587
Username:
[email protected]
Password:
Urban@1143

Extracted

Credentials

Protocol: smtp
Host:
smtp.urban.co.th
Port:
587
Username:
[email protected]
Password:
Urban@1143

Targets

- Target
  
  IMG-43555_UTR 34444_PDF.exe
- Size
  
  940KB
- MD5
  
  80a3e56f0e754b838dc4a2c49b44b7ac
- SHA1
  
  181d352a869f14512dcfcd475109ca0c628e1ade
- SHA256
  
  8846c5d088724ae06915e0e0f987ca3a65fba368095bc73f3109f6cb7841318b
- SHA512
  
  17256ee48f88550f4bcabba39c9fe0a1a8ad015be8036ac427948505221af74ef390672247bc8e8ea3105a645760832ef0608a588f74a4e609369935b054f038
Score

10^/10

agenttesla collection evasion keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla Payload
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

agentteslacollectionevasionkeyloggerspywarestealertrojan

behavioral2

agentteslacollectionevasionkeyloggerspywarestealertrojan

© 2018-2024

Terms | Privacy