agenttesla | 3dff084b15ce8f39dbbb23b1a0ccad0634f716cc35218572349ed31d36effec2 | Triage

Sharing

General

Target

3DFF084B15CE8F39DBBB23B1A0CCAD0634F716CC35218572349ED31D36EFFEC2
Size

329KB
Sample

221123-r1qtdsaa49
MD5

ca065cc2e9663ef334e9d1acd58b7478
SHA1

987618ce3897f8de4f199b84d1ad35e8432eb5b6
SHA256

3dff084b15ce8f39dbbb23b1a0ccad0634f716cc35218572349ed31d36effec2
SHA512

62bf555381736c7c1e95375e455377abf9fb5ca827d40db2cd645bc5f3344f28e199844bd2d10085293cf395bcfb4009a2636afd514d3849529fb87cde53913e
SSDEEP

6144:5sXzfyHVN7CTbT1WWvw6MbtWfLkidIPCbx2EDUfuFiFZWO12/pyEG4/22LMGnjTF:59b7CRzv3QAT6PCbIfuB62/pybBe

Score

10^/10

agenttesla collection evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5705602282:AAFcwBeX9coGMKJeokPZOq06CS7N1H2rCJI/

Targets

- Target
  
  DHL_AWB 2870565795/DHL_AWB 2870565795.exe
- Size
  
  478KB
- MD5
  
  58f6a878d2834fe4ef2748a6ff34da71
- SHA1
  
  cd446f562bdb956a358c5230bc9b255356a5565e
- SHA256
  
  d2bd7d282670277d1f8f2f569ef18f889a634c11909d9f157d66837a66618717
- SHA512
  
  206fd2c9f0ba720e68951a329dd6a1760a474cf5313b05ff355dda9fec49f66f5c02c5ddf469a9f091926890a0345bb43de183e8990a7b47db45d5fe40e3a0b0
- SSDEEP
  
  12288:hznTdXs1M6tMy8JRwcM3ykuVu9p8KnZKzz+FWgxh0:9heMGMyCRwcGyz08KZKSW2
Score

10^/10

agenttesla collection evasion keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslacollectionevasionkeyloggerpersistencespywarestealertrojan

behavioral2

agentteslacollectionevasionkeyloggerpersistencespywarestealertrojan