agenttesla | 9e1297ba1caf91e23ccf9f87ce9ad16f845740ed29b248b19cdbd69e89e72051 | Triage

Submit
Reports

Overview

overview

Static

static

DHL_AWB #1...df.exe

windows7_x64

DHL_AWB #1...df.exe

windows10-2004_x64

Sharing

General

Target

9e1297ba1caf91e23ccf9f87ce9ad16f845740ed29b248b19cdbd69e89e72051
Size

485KB
Sample

220521-cxawfaefb3
MD5

b0c6dc4ac64fe7b6bdf82f423edc8fb1
SHA1

515790229365c358e7abccf0bdf9f33038b8e26e
SHA256

9e1297ba1caf91e23ccf9f87ce9ad16f845740ed29b248b19cdbd69e89e72051
SHA512

b9383663c2f4e698b23298320e9cd7bf7f47170ae7d5e651ad9428f25d02b29cfb4003abe5c2735545c8b34ccec82677c1b791049c3320487763f30f04a281a2

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

DHL_AWB #1008936572891_pdf.exe

Resource

win7-20220414-en

agenttesla collection keylogger persistence spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

DHL_AWB #1008936572891_pdf.exe

Resource

win10v2004-20220414-en

agenttesla collection keylogger persistence spyware stealer trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.rulmeca.co
Port:
587
Username:
[email protected]
Password:
jbinkowska@123

Targets

- Target
  
  DHL_AWB #1008936572891_pdf.exe
- Size
  
  580KB
- MD5
  
  b513067d4f9f767961d0f2bc798e0cf9
- SHA1
  
  5f08038c10344fa9028a5c7c9aab4fd00c73eda5
- SHA256
  
  0bc02b5ed2a298e9b8859eac4c03ca7b0ba2ab7e00a3b8477967428cc5f4d88b
- SHA512
  
  6b8045b902a8e2a0e06ca400c1540a40963413bfb7acb161941d32816b9431c75df9e106345daadd90d247d9fe083db9e8aab20222112338d8beab37a115b8dc
Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla Payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

agentteslacollectionkeyloggerpersistencespywarestealertrojan

behavioral2

agentteslacollectionkeyloggerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy