agenttesla

General

Target

0aab0231c75193c9e832c5cd000dea83298e2bc3aed79d765152440064f8f5cc
Size

485KB
Sample

220521-d3csnabgbk
MD5

e85ff90e403f6eeef71a75074ca5feb9
SHA1

0c898f4cf67b3a3e0325b5732b018e219180a770
SHA256

0aab0231c75193c9e832c5cd000dea83298e2bc3aed79d765152440064f8f5cc
SHA512

a20f692bafd7c05e50cc1ee62b909e260438bced92c4fe96e35375f731b3de51f88775e67b37423aff2f441ba77188e9d0b75362a8698a851b2ca1960e09c9ec

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.pro-powersourcing.com
Port:
587
Username:
vivi@pro-powersourcing.com
Password:
china1977

Targets

- Target
  
  SOA.exe
- Size
  
  539KB
- MD5
  
  36914235489a2a8d85d5b74e72240324
- SHA1
  
  cd625adecfa3ef160f57eee2069e7775744f730c
- SHA256
  
  b40edfb78610a92314bc7d79c6c64aee89064821da0187475855ecc87c0148ed
- SHA512
  
  fca474672dad94f3d8a8741394eac7a413f2ddcfe9cb299a54b9f870daaa07fc9785cde12c0e68eb71025fe0090c24e6184207f3a021e89152b52b7b0f8e5c08
Score

10^/10

agenttesla collection coreentity evasion keylogger persistence rezer0 spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- CoreEntity .NET Packer
  A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
  coreentity
- AgentTesla Payload
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Disables Task Manager via registry modification
  evasion
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

CoreEntity .NET Packer

AgentTesla Payload

ReZer0 packer

Disables Task Manager via registry modification

Drops file in Drivers directory

Accesses Microsoft Outlook profiles

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2