agenttesla | a9ba0327f1ea8e71d77af0465dffe3038f7bc33910f908c97eab62b7bfcc404d | Triage

Submit
Reports

Overview

overview

Static

static

New #PO 84042841.exe

windows7_x64

New #PO 84042841.exe

windows10-2004_x64

Sharing

General

Target

a9ba0327f1ea8e71d77af0465dffe3038f7bc33910f908c97eab62b7bfcc404d
Size

470KB
Sample

220521-n2z7nshfdl
MD5

5016f14b9881ace33328993e755daadf
SHA1

15d15baa185a877ebeaf74ad59ba209a8c90e8fa
SHA256

a9ba0327f1ea8e71d77af0465dffe3038f7bc33910f908c97eab62b7bfcc404d
SHA512

8ed90434fe022fb42ae43b59aa1983a2ed3d485823890c7cd0dd80807d16f71eedb36b010d8ed40abaf2bd99a34c54468a47cdef645270a486b0c68e9bae583c

Score

10^/10

agenttesla collection coreentity keylogger persistence rezer0 spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

New #PO 84042841.exe

Resource

win7-20220414-en

agenttesla collection coreentity keylogger persistence rezer0 spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

New #PO 84042841.exe

Resource

win10v2004-20220414-en

agenttesla collection keylogger persistence spyware stealer trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.sridurgaagros.com
Port:
587
Username:
patlog@sridurgaagros.com
Password:
@Hammer1980

Targets

- Target
  
  New #PO 84042841.exe
- Size
  
  685KB
- MD5
  
  20187c9899f3b395219e55133004bd23
- SHA1
  
  952ca8e8eed8e2c05f7627e93ed4dad15a0fff9c
- SHA256
  
  ba6c27eedbe9c1152f8232f685600ec69ad11ada7b6e82db997e08d89a1b0385
- SHA512
  
  c8d9ab5f04c3514c207d712ec4211d41161848b1bc85dc37a4ef6b66f60ef79165ca2cb68fb965fa9e9e9ac42ab14ee7b19f05e1253815f47795f7478cecc082
Score

10^/10

agenttesla collection coreentity keylogger persistence rezer0 spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- CoreEntity .NET Packer
  A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
  coreentity
- AgentTesla Payload
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

agentteslacollectioncoreentitykeyloggerpersistencerezer0spywarestealertrojan

behavioral2

agentteslacollectionkeyloggerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy