agenttesla

General

Target

Order1040258.xlsm
Size

431KB
Sample

220630-ta2jbaccgp
MD5

a7a4f3a4aa943e3bd5e78789cec486d6
SHA1

6bc828610e03758ea7121983b9e281b8e8b6fb47
SHA256

7933ad4edab82e52f977bc9623aa7b24f63ac959efbf1cd5c8ecf73a4207b9c1
SHA512

863820cc0e7cabbf18653ebda72bc2357624257f29f886a3f06c8fec4a53cf0f309117467c92a7da929d51d01f3eed1dac328301621224ed8cf28807afa92445

Score

10^/10

Malware Config

Extracted

Family

agenttesla

C2

http://136.144.41.76/bray/inc/a4a9ffb236214a.php

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:1111

62.197.136.167:6606

62.197.136.167:7707

62.197.136.167:8808

62.197.136.167:1111

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  Order1040258.xlsm
- Size
  
  431KB
- MD5
  
  a7a4f3a4aa943e3bd5e78789cec486d6
- SHA1
  
  6bc828610e03758ea7121983b9e281b8e8b6fb47
- SHA256
  
  7933ad4edab82e52f977bc9623aa7b24f63ac959efbf1cd5c8ecf73a4207b9c1
- SHA512
  
  863820cc0e7cabbf18653ebda72bc2357624257f29f886a3f06c8fec4a53cf0f309117467c92a7da929d51d01f3eed1dac328301621224ed8cf28807afa92445
Score

10^/10

agenttesla asyncrat default collection keylogger persistence rat spyware stealer suricata trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers.
  rat asyncrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- suricata: ET MALWARE AgentTesla Communicating with CnC Server
  suricata: ET MALWARE AgentTesla Communicating with CnC Server
  suricata
- suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
  suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
  suricata
- suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
  suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
  suricata
- Async RAT payload
  rat
- Downloads MZ/PE file
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

AsyncRat

Process spawned unexpected child process

suricata: ET MALWARE AgentTesla Communicating with CnC Server

suricata: ET MALWARE Generic AsyncRAT Style SSL Cert

suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

Async RAT payload

Downloads MZ/PE file

Drops file in Drivers directory

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Accesses Microsoft Outlook profiles

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2