agenttesla | abd261879ff1611f42e267980489b5b90cc5d8f1e8317fb118b58d9bc15a1db5 | Triage

Submit
Reports

Overview

overview

Static

static

PO20200716-July.exe

windows7_x64

PO20200716-July.exe

windows10-2004_x64

Sharing

General

Target

abd261879ff1611f42e267980489b5b90cc5d8f1e8317fb118b58d9bc15a1db5
Size

282KB
Sample

220521-nrbrbsead7
MD5

5b1b28b04412ad1d949e3cb70a7483ee
SHA1

02190bed36fc1fce02e3d2ffdee381062c7ba286
SHA256

abd261879ff1611f42e267980489b5b90cc5d8f1e8317fb118b58d9bc15a1db5
SHA512

24ab122f1195556c9e1a8e1ab7f7c395fa3e15765b6d21f7fb5e32286d0d3da1c240c464cead5781aa80e26e82e4bb59a38894cb762c95daf48e5a2448bdf9e8

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

PO20200716-July.exe

Resource

win7-20220414-en

agenttesla keylogger persistence spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

PO20200716-July.exe

Resource

win10v2004-20220414-en

agenttesla collection keylogger persistence spyware stealer trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.ru
Port:
587
Username:
realmen2020@yandex.ru
Password:
zS8ZQ88MrxAbUtE

Targets

- Target
  
  PO20200716-July.pif
- Size
  
  666KB
- MD5
  
  32b3a0cf4205e5e48691c110aa082d1e
- SHA1
  
  4ec9cce9ec3a012e53e9b116d40f7506c4632e14
- SHA256
  
  95cc09bf84b557baa4ce240a6034d1169e12f4268bf9041c4116f149f7603afe
- SHA512
  
  29d351454db9aa84a18704659f89ffa148df0fa5483f4ad2a9e127411862eddad35a073ab1d6feb2c3e00a746f063cdd12972259d5600700994f827819721639
Score

10^/10

agenttesla keylogger persistence spyware stealer trojan collection
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla Payload
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

agentteslakeyloggerpersistencespywarestealertrojan

behavioral2

agentteslacollectionkeyloggerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy