agenttesla | f1f18b0a7efd6702ce47f9bea620165785050d55074d6ae27e6a6ff4322f6ad3 | Triage

Submit
Reports

Overview

overview

Static

static

hesapharek...df.exe

windows7_x64

hesapharek...df.exe

windows10-2004_x64

Sharing

General

Target

f1f18b0a7efd6702ce47f9bea620165785050d55074d6ae27e6a6ff4322f6ad3
Size

331KB
Sample

220521-ex3ybshgh8
MD5

788dbf576e0a2674990aca2e9360b270
SHA1

dd4485960723c552b40decf3592d92c29b22c2fe
SHA256

f1f18b0a7efd6702ce47f9bea620165785050d55074d6ae27e6a6ff4322f6ad3
SHA512

1a9134d2dc68e07e33c98be06c9081b383893d181f7db4f9d8455ecddd226be47e2f4404619aaaffd940a81c12e0640102f3837e698b24cb0cdf757eb51b6a8b

Score

10^/10

agenttesla evasion keylogger persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

hesaphareketi000,pdf.exe

Resource

win7-20220414-en

agenttesla evasion keylogger persistence spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

hesaphareketi000,pdf.exe

Resource

win10v2004-20220414-en

agenttesla evasion keylogger persistence spyware stealer trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.slbdc-lk.org
Port:
587
Username:
[email protected]
Password:
finance2017

Targets

- Target
  
  hesaphareketi000,pdf.exe
- Size
  
  938KB
- MD5
  
  1d77691991b358cddb9e88b28380b124
- SHA1
  
  e815d27cdf5fde77c3ac60388408bb27304dc75a
- SHA256
  
  a9892834c6f030fd7a292b213a39270e2fc991b6c9287fff73b540dd2b36e290
- SHA512
  
  6660827d12b5e21f9116ea5cbf48e484e95c3fdc41969a3a9e78677c29c36768f8652656c126007814db8d27d242d7bc748ece8a26f179da24a57036048fdc0b
Score

10^/10

agenttesla evasion keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Modifies WinLogon for persistence
  persistence
- Modifies visiblity of hidden/system files in Explorer
  evasion
- AgentTesla Payload
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

agentteslaevasionkeyloggerpersistencespywarestealertrojan

behavioral2

agentteslaevasionkeyloggerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy