agenttesla | 0755a10bbe45ec010a16f32e842c65be350eed0eb4b0e7cb1e2794986a34abb4 | Triage

Submit
Reports

Overview

overview

Static

static

8

Order MGE-...27.xls

windows7-x64

1

Order MGE-...27.xls

windows10-2004-x64

Sharing

General

Target

Order MGE-PO-2022-027.xla
Size

114KB
Sample

220927-j478vaeaej
MD5

42d05295b18da2d31022f2085f62c1c7
SHA1

0e9a4618e0fc737f52300d27f33af614bfbeb7bf
SHA256

0755a10bbe45ec010a16f32e842c65be350eed0eb4b0e7cb1e2794986a34abb4
SHA512

7c16d8daab58dd5bffa3ef23a1fe9fdb2087b3dbd41afdf20d5e132581787ed4b027bcea2cb8ab3bb2906cde2363021a965e96a5b40a185664783286b6119974
SSDEEP

3072:3eGk3hOdsylKlgxopeiBNhZFGzE+cL2kdAVVmF5nNUHukBva5UBmglG:3eGk3hOdsylKlgxopeiBNhZF+E+W2kdp

Score

10^/10

agenttesla collection keylogger macro macro_on_action persistence spyware stealer trojan

Static task

static1

macro macro_on_action

1 signatures

Behavioral task

behavioral1

Sample

Order MGE-PO-2022-027.xls

Resource

win7-20220812-en

windows7-x64

7 signatures

300 seconds

Behavioral task

behavioral2

Sample

Order MGE-PO-2022-027.xls

Resource

win10v2004-20220812-en

agenttesla collection keylogger persistence spyware stealer trojan

windows10-2004-x64

19 signatures

300 seconds

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
185.216.71.84
Port:
21
Username:
blessed
Password:
!!@@##$$%%^^

Targets

- Target
  
  Order MGE-PO-2022-027.xla
- Size
  
  114KB
- MD5
  
  42d05295b18da2d31022f2085f62c1c7
- SHA1
  
  0e9a4618e0fc737f52300d27f33af614bfbeb7bf
- SHA256
  
  0755a10bbe45ec010a16f32e842c65be350eed0eb4b0e7cb1e2794986a34abb4
- SHA512
  
  7c16d8daab58dd5bffa3ef23a1fe9fdb2087b3dbd41afdf20d5e132581787ed4b027bcea2cb8ab3bb2906cde2363021a965e96a5b40a185664783286b6119974
- SSDEEP
  
  3072:3eGk3hOdsylKlgxopeiBNhZFGzE+cL2kdAVVmF5nNUHukBva5UBmglG:3eGk3hOdsylKlgxopeiBNhZF+E+W2kdp
Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Registers COM server for autorun
  persistence
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

macromacro_on_action

behavioral1

behavioral2

agentteslacollectionkeyloggerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy