agenttesla | 9888c457740377c7aaa34b743985c151226fab832c3dabddf9a5c43352eff34c | Triage

Submit
Reports

Overview

overview

Static

static

Ralson pay...df.exe

windows7_x64

Ralson pay...df.exe

windows10-2004_x64

Sharing

General

Target

9888c457740377c7aaa34b743985c151226fab832c3dabddf9a5c43352eff34c
Size

508KB
Sample

220521-cykr2ahgdm
MD5

b121e6108cfe6c1edf9eea84fde21566
SHA1

656ea4c6fa0ea4b8317174a638b5361967eeeca9
SHA256

9888c457740377c7aaa34b743985c151226fab832c3dabddf9a5c43352eff34c
SHA512

1e8445996c5a7ca93112ef51721f3ed9d9a7df6363f4f10c4bcf5b222948d0f91f34e8d4b77d3369699e4322f60b941961943da16312ac1ca509a9b012c813ad

Score

10^/10

agenttesla collection evasion keylogger persistence rezer0 spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

Ralson payment slip.pdf.exe

Resource

win7-20220414-en

agenttesla collection evasion keylogger persistence rezer0 spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Ralson payment slip.pdf.exe

Resource

win10v2004-20220414-en

agenttesla collection evasion keylogger persistence spyware stealer trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.pro-powersourcing.com
Port:
587
Username:
[email protected]
Password:
china1977

Targets

- Target
  
  Ralson payment slip.pdf.exe
- Size
  
  550KB
- MD5
  
  cb6edb483fbed56eeb55c8cdf8729d6a
- SHA1
  
  ef5b5ad700ae044299f46f480817515f12093a8b
- SHA256
  
  7582634a83ef1c1bf123347b22852b93f134b6b97f10aaffa2aebd5df7b920e9
- SHA512
  
  f6bd7ee2f9194e9f73caa1585b9c17711906f3249e9c9bd91ebdc8991ff82587f04012d73c47a72df841e6a0429eb0c47b0a0a8d3524c64de83817164b3eff97
Score

10^/10

agenttesla collection evasion keylogger persistence rezer0 spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla Payload
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Disables Task Manager via registry modification
  evasion
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

agentteslacollectionevasionkeyloggerpersistencerezer0spywarestealertrojan

behavioral2

agentteslacollectionevasionkeyloggerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy