agenttesla | a06b89ab8de11d1a00a2cfaafeafa96a84e1c867c9650d2574ab5c5965195ce8 | Triage

Submit
Reports

Overview

overview

Static

static

Order #K0137080.vbs

windows7-x64

Order #K0137080.vbs

windows10-2004-x64

7

Sharing

General

Target

A06B89AB8DE11D1A00A2CFAAFEAFA96A84E1C867C9650D2574AB5C5965195CE8
Size

137KB
Sample

221123-r2rgbadb31
MD5

7bc0701880cef8b250bc839c02c440d7
SHA1

08929a6a39c4c3e6627e26fb1c698654b3e14b1b
SHA256

a06b89ab8de11d1a00a2cfaafeafa96a84e1c867c9650d2574ab5c5965195ce8
SHA512

9db37ed8d23dcca87a1ca419049c5a80dbfb101fc66a9453c0f0c2dc9a06ebb42095753256bdfaa16f6c3f85c0a8219467ad80239a9718b983f6408b5f1fa1af
SSDEEP

3072:IV2fcI4tf7gOLVzruUhsvkVlKjz4tTllIUC+ZY:ZwfEOLVzruClKvql2+C

Score

10^/10

agenttesla keylogger spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

Order #K0137080.vbs

Resource

win7-20221111-en

agenttesla keylogger spyware stealer trojan

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

Order #K0137080.vbs

Resource

win10v2004-20221111-en

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.lansol.com
Port:
21
Username:
[email protected]
Password:
@t6cIop2jJgW

Targets

- Target
  
  Order #K0137080.vbs
- Size
  
  236KB
- MD5
  
  96fab6f37daa6c05627d826d62db3199
- SHA1
  
  1ab3d160bc854e0cbc875438896c58d6c4c886b2
- SHA256
  
  1cd7d45d2466ce4a8220edc05bc8a9141e89f80e7e0f33ff61a6200011442bad
- SHA512
  
  059a9a60221f117f2258b14bfa218351f913156635e79751534256a1d9bc2867c0ced84f5bba3c4345c41e0aded7fde6471d1c294fc2569672010e31a88d9ccd
- SSDEEP
  
  6144:D78FFZJ4u+WvCjd2Zj21DL8rWl5/0ahnAMANPh:X8FP9XvCjd2h2tL0STVAdh
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

agentteslakeyloggerspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy