agenttesla | b17e4332096c690189b2281ca1c414f07109be3779e5262c538ae28f58f45884 | Triage

Submit
Reports

Overview

overview

Static

static

SOA.PDF.exe

windows7_x64

SOA.PDF.exe

windows10-2004_x64

Sharing

General

Target

b17e4332096c690189b2281ca1c414f07109be3779e5262c538ae28f58f45884
Size

366KB
Sample

220521-ptnz4sgab5
MD5

0104900d9107296dc2ea1944b3534e9f
SHA1

b3265b188c27e52c4003c6cb74feb0f99f4eb0a3
SHA256

b17e4332096c690189b2281ca1c414f07109be3779e5262c538ae28f58f45884
SHA512

43f93814fb194366ef04e1f8219307cff956522ee98b600331e8d77d2fefd052d494f3e8e39dde9cbef12cbceebc1babf91fba6ddc9ec3be50581252acb62021

Score

10^/10

agenttesla collection evasion keylogger persistence rezer0 spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

SOA.PDF.exe

Resource

win7-20220414-en

agenttesla collection evasion keylogger persistence rezer0 spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

SOA.PDF.exe

Resource

win10v2004-20220414-en

agenttesla evasion keylogger persistence spyware stealer trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.microtechlab.in
Port:
587
Username:
reports@microtechlab.in
Password:
pune@123

Targets

- Target
  
  SOA.PDF.exe
- Size
  
  385KB
- MD5
  
  a08a2bda9c51b2d5ca1e38435629cacc
- SHA1
  
  46107a6be4613e6c2d1f9e08af63de089417ea10
- SHA256
  
  6f4d9739f62d219787f6de178ab8f5fb29f317cac258c567d8d51cddea7aa4ac
- SHA512
  
  d3be87d66877a4cf71f2edccd0863c180630b979214c40170fa5585a878f5ea32efa2c10fbd7f6129362b672230978af32f9618cd71a69be3f087f3b56aaf411
Score

10^/10

agenttesla collection evasion keylogger persistence rezer0 spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla Payload
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Disables Task Manager via registry modification
  evasion
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

agentteslacollectionevasionkeyloggerpersistencerezer0spywarestealertrojan

behavioral2

agentteslaevasionkeyloggerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy