agenttesla | 173bf8f0a06a99b6ff4fd216a0be00b834aa4337828b91124da5d533e674fccf | Triage

Submit
Reports

Overview

overview

Static

static

SbPbhXXaAe...ery.js

windows7_x64

SbPbhXXaAe...ery.js

windows10-2004_x64

Sharing

General

Target

SbPbhXXaAe_ori40teleevery.js
Size

386KB
Sample

220627-skk4mscagl
MD5

917298a0ef1125c31dfc7762135d9978
SHA1

b6902cd75e83cae4ff2a3ce12f0314d364d5f481
SHA256

173bf8f0a06a99b6ff4fd216a0be00b834aa4337828b91124da5d533e674fccf
SHA512

b1ad86cd50f605ecd3bd7e9d99835dd97f64f16efa97b416e08c1c61d311874807951b7e8a887d76a1de197643a68b863fab5644010756abf384941786d3b9e1

Score

10^/10

agenttesla vjw0rm collection keylogger persistence spyware stealer trojan worm

Static task

static1

Behavioral task

behavioral1

Sample

SbPbhXXaAe_ori40teleevery.js

Resource

win7-20220414-en

agenttesla vjw0rm collection keylogger persistence spyware stealer trojan worm

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

SbPbhXXaAe_ori40teleevery.js

Resource

win10v2004-20220414-en

agenttesla vjw0rm collection keylogger persistence spyware stealer trojan worm

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5171883538:AAEyFWuNh68SJNNpkDCQbviRgrklZA3K4Qs/sendDocument

Targets

- Target
  
  SbPbhXXaAe_ori40teleevery.js
- Size
  
  386KB
- MD5
  
  917298a0ef1125c31dfc7762135d9978
- SHA1
  
  b6902cd75e83cae4ff2a3ce12f0314d364d5f481
- SHA256
  
  173bf8f0a06a99b6ff4fd216a0be00b834aa4337828b91124da5d533e674fccf
- SHA512
  
  b1ad86cd50f605ecd3bd7e9d99835dd97f64f16efa97b416e08c1c61d311874807951b7e8a887d76a1de197643a68b863fab5644010756abf384941786d3b9e1
Score

10^/10

agenttesla vjw0rm collection keylogger persistence spyware stealer trojan worm
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Blocklisted process makes network request
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

agentteslavjw0rmcollectionkeyloggerpersistencespywarestealertrojanworm

behavioral2

agentteslavjw0rmcollectionkeyloggerpersistencespywarestealertrojanworm

© 2018-2024

Terms | Privacy