agenttesla

General

Target

5ff4c3eb0ad5b96bf4f88fa2a99b2589275daebca86e03f904767221839dff63
Size

1.0MB
Sample

221124-nggjtsdf9t
MD5

0ab4a2ab713a752c61f722baa1af6064
SHA1

c2da9dbb319b92a4179e6a3a9a8763cd1e294bcf
SHA256

5ff4c3eb0ad5b96bf4f88fa2a99b2589275daebca86e03f904767221839dff63
SHA512

6e402ec98ca7e5fe0062f017a08832966c28db14b80b0bad2f324915e1cd42e97ed69ab0c3a52fd44d84052eeb4f83c011b349c9d17897e2f4acd42ee384d1a8
SSDEEP

12288:EY1FQqDi5HYIsMzxlyvODj0Ihz9/vNRWLLeyFNeMr+8pbnaeDAdp:V1mvNsqqwl+Ln2Mr+YzaSWp

Score

10^/10

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5169304639:AAEuGpfCL-hv_A-RdB_r9uRMHt_yvJZb2Z8/

Targets

- Target
  
  5ff4c3eb0ad5b96bf4f88fa2a99b2589275daebca86e03f904767221839dff63
- Size
  
  1.0MB
- MD5
  
  0ab4a2ab713a752c61f722baa1af6064
- SHA1
  
  c2da9dbb319b92a4179e6a3a9a8763cd1e294bcf
- SHA256
  
  5ff4c3eb0ad5b96bf4f88fa2a99b2589275daebca86e03f904767221839dff63
- SHA512
  
  6e402ec98ca7e5fe0062f017a08832966c28db14b80b0bad2f324915e1cd42e97ed69ab0c3a52fd44d84052eeb4f83c011b349c9d17897e2f4acd42ee384d1a8
- SSDEEP
  
  12288:EY1FQqDi5HYIsMzxlyvODj0Ihz9/vNRWLLeyFNeMr+8pbnaeDAdp:V1mvNsqqwl+Ln2Mr+YzaSWp
Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Modifies WinLogon for persistence
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

Modifies WinLogon for persistence

Executes dropped EXE

Loads dropped DLL

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2