agenttesla

General

Target

Payment advis pdf.scr.exe
Size

375KB
Sample

221121-q89e2acd82
MD5

c841e0d1d9238121a768bceb6339f5c9
SHA1

62d9cfda2108525125a795467c62cda564c6ebb5
SHA256

2cf36ac3e8c07fcbeb2ec52dd992d2722aa68305db8d5a1dee9be0b6ccd186ef
SHA512

3834eb7529313c7653d46716790620c982f0a933fcabc4be1c37554b6bb198bd726f4dfaee0ee9b338c2f5d51a07294cd7c509b13f5ba78dc4cba3e5cdd782cc
SSDEEP

6144:ZVGdx6x2FUdnyePvRqloupOCaDU+tnvqtxKarFZJDJyUsN/hvRB7y:HtdyePvRTupTaDU+tvc3rpJslhj+

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.mcmprint.net
Port:
21
Username:
[email protected]
Password:
l9Hh{#_(0shZ

Targets

- Target
  
  Payment advis pdf.scr.exe
- Size
  
  375KB
- MD5
  
  c841e0d1d9238121a768bceb6339f5c9
- SHA1
  
  62d9cfda2108525125a795467c62cda564c6ebb5
- SHA256
  
  2cf36ac3e8c07fcbeb2ec52dd992d2722aa68305db8d5a1dee9be0b6ccd186ef
- SHA512
  
  3834eb7529313c7653d46716790620c982f0a933fcabc4be1c37554b6bb198bd726f4dfaee0ee9b338c2f5d51a07294cd7c509b13f5ba78dc4cba3e5cdd782cc
- SSDEEP
  
  6144:ZVGdx6x2FUdnyePvRqloupOCaDU+tnvqtxKarFZJDJyUsN/hvRB7y:HtdyePvRTupTaDU+tvc3rpJslhj+
Score

10^/10

agenttesla keylogger spyware stealer trojan collection
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Checks QEMU agent file

Loads dropped DLL

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2