agenttesla | e4cda1631a3df7932fb319567b2696e096d1f59f66a6d1611436217943bd692e | Triage

Submit
Reports

Overview

overview

Static

static

code.ps1

windows7-x64

code.ps1

windows10-2004-x64

Sharing

General

Target

code.ps1
Size

138B
Sample

220930-3trynafbc8
MD5

efa136867081936967a0ac27271b2fda
SHA1

756f0d9e09882c8531618458e5d582fd5b46fbad
SHA256

e4cda1631a3df7932fb319567b2696e096d1f59f66a6d1611436217943bd692e
SHA512

77e76132c86321792cb621cc9c9f298b59a6ee813553fb2199a1ea82c60549c95c38ed0574c25b40faecfcccdd7931134fae8817fa8ac30c0eb405e4a2eed711

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

code.ps1

Resource

win7-20220812-en

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

code.ps1

Resource

win10v2004-20220901-en

agenttesla collection keylogger persistence spyware stealer trojan

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://bitbucket.org/!api/2.0/snippets/tinypro/yEG5xg/87f5d9d29b55f427e764f574f85ffdc00d4e918b/files/black2.txt

Targets

- Target
  
  code.ps1
- Size
  
  138B
- MD5
  
  efa136867081936967a0ac27271b2fda
- SHA1
  
  756f0d9e09882c8531618458e5d582fd5b46fbad
- SHA256
  
  e4cda1631a3df7932fb319567b2696e096d1f59f66a6d1611436217943bd692e
- SHA512
  
  77e76132c86321792cb621cc9c9f298b59a6ee813553fb2199a1ea82c60549c95c38ed0574c25b40faecfcccdd7931134fae8817fa8ac30c0eb405e4a2eed711
Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Registers COM server for autorun
  persistence
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

behavioral2

agentteslacollectionkeyloggerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy