agenttesla | eeb657c996085b9dfa34b7d7c649f03d8106111ab537058cb2fad15fa4512bcd | Triage

Submit
Reports

Overview

overview

Static

static

JW50941PI,pdf.exe

windows7_x64

JW50941PI,pdf.exe

windows10-2004_x64

8

Sharing

General

Target

eeb657c996085b9dfa34b7d7c649f03d8106111ab537058cb2fad15fa4512bcd
Size

338KB
Sample

220521-nymgeahdgj
MD5

2c7f0deb853f41ed8a2c66f4438e9b13
SHA1

0695f35c2b3536a5d38b956ff5e4ab80ada80a0f
SHA256

eeb657c996085b9dfa34b7d7c649f03d8106111ab537058cb2fad15fa4512bcd
SHA512

c94285a76f8259051208fa9541516a2c134ec939c3f690fc737f3e57f6b851a9cc745d58fab77e4c819f8c58327a2690fbc4e37425bf476d51af8b543a564ae7

Score

10^/10

agenttesla agilenet keylogger persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

JW50941PI,pdf.exe

Resource

win7-20220414-en

agenttesla agilenet keylogger persistence spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

JW50941PI,pdf.exe

Resource

win10v2004-20220414-en

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.heybetdeger.av.tr
Port:
587
Username:
heybet@heybetdeger.av.tr
Password:
Heybet27-

Targets

- Target
  
  JW50941PI,pdf.exe
- Size
  
  872KB
- MD5
  
  eaa461707107d984bef65c2440be4bab
- SHA1
  
  a282713aa5f086efa5b1acbef2b17c9e8faf7af4
- SHA256
  
  982973063ae8ea7dbe8cb75740f7e99317efcb46755e51c880f2e303ed4d5e62
- SHA512
  
  dbdcf1938f2e7e80cea584ee13fcd3f73adafddc2b23d9ae8213b7b80a6261e2704f5bd9489cd05bf8d84cd9ad789090cc2d3a8974cd6e7752eeba1bf7119ed1
Score

10^/10

agenttesla agilenet keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla Payload
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

agentteslaagilenetkeyloggerpersistencespywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy