agenttesla | 6638f6849a9c27dc035d5ba97690c670152b9f300c579ad44d73a8274f8ceb75 | Triage

Submit
Reports

Overview

overview

Static

static

Shipping d...ts.exe

windows7_x64

Shipping d...ts.exe

windows10-2004_x64

Sharing

General

Target

6638f6849a9c27dc035d5ba97690c670152b9f300c579ad44d73a8274f8ceb75
Size

412KB
Sample

220521-dct91sfde4
MD5

d7290e004145d515f61559ad1991298f
SHA1

2242a047e772b4b247ec1b1679ed5f875269cace
SHA256

6638f6849a9c27dc035d5ba97690c670152b9f300c579ad44d73a8274f8ceb75
SHA512

13373c7aff4c77aabd127422c4f1c2bcf77a8645ade431888b7828333df7b79d5c6b6f3ad269a8ada4d4d63202cba2ea444a1dd32308ac55e9d020573acfc0a2

Score

10^/10

agenttesla collection evasion keylogger persistence rezer0 spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

Shipping documents.exe

Resource

win7-20220414-en

agenttesla collection evasion keylogger persistence rezer0 spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Shipping documents.exe

Resource

win10v2004-20220414-en

agenttesla evasion keylogger persistence spyware stealer trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.microtechlab.in
Port:
587
Username:
[email protected]
Password:
pune@123

Targets

- Target
  
  Shipping documents.exe
- Size
  
  455KB
- MD5
  
  2879721f8b9759ef832a173a4aef7f74
- SHA1
  
  e44ce3d55b58edd0fbdb51b78a2db0ca1da35d32
- SHA256
  
  24be3b1c3a8a56f3028bb533082f4e8e93f1405b7066e4facde544c22010afa5
- SHA512
  
  50014f4ab829d1e5379952ac2a19c46abfd0e73585231a6d6e0078db2218ff92149cc1b1d547eef7295ed3c48ff0866586509d5a2258b3bc2dd3bf1ccabe6625
Score

10^/10

agenttesla collection evasion keylogger persistence rezer0 spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla Payload
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Disables Task Manager via registry modification
  evasion
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

agentteslacollectionevasionkeyloggerpersistencerezer0spywarestealertrojan

behavioral2

agentteslaevasionkeyloggerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy