agenttesla

Sharing

Copy URL

Twitter E-mail

General

Target

DOGLAA09299.zip
Size

1.2MB
Sample

221125-wp25hadg32
MD5

9ebf675cce1ca4a932bff1776ed9e845
SHA1

ee78341e9f6aa92df91b857fef34640980cae53b
SHA256

4d06c1d981fe3e69f753774b7c417fc8e0267eb8195281a2c7670bde242baa16
SHA512

2738f75adea44c291e6a80f56e1aecafb56a3a0ab98adce66a35672507db5fb6f3d28cbb50c1455d5155bcda579866549d36eb7d0a8cc50d0e3120c53b0420ef
SSDEEP

24576:ut5M+LRdupmymGLhl0PbtGzmXYX6Y4gQ0I7i0jC5qov/CWob:o5/1+m6hloYLX6T/0IL23ob

Score

10^/10

Malware Config

Extracted

Rule

Microsoft Office MHTML OLEObject

https://kasangatitc.go.ug/haze/hot

Extracted

Language

xlm4.0

Source

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.tpcj.com.my
Port:
587
Username:
[email protected]
Password:
tpcj@1qaz

Extracted

Language

xlm4.0

Source

Targets

- Target
  
  DOGLAA09299.slk
- Size
  
  99KB
- MD5
  
  b15cb4d4351428b869c2b96ab698a235
- SHA1
  
  752ab3a34576882ac7eecb4b17eba07142a9fa5d
- SHA256
  
  b286742b13f2bf5710d9145c08b25a5c642a08429c7d68e6f7417efbb728ad0f
- SHA512
  
  d3e807aa94d17651cb4f94229d943d9d5843ba0189f470f4bfa91126595ac62a71176210a162a6d7a519db4082135dcd2937d8a2a60e9983a81dbbf0272f6967
- SSDEEP
  
  768:LPe1DrROIzEG5UiqRwUbvChwhSoJRxBIHchUAK5/b+GHB6DNUFV+lodf5w:L0J/YG5F+wqvChfwvBIVgGh6USodhw
Score

7^/10
- Loads dropped DLL
behavioral1 behavioral2
- Target
  
  DOGLAA84299.xll
- Size
  
  4KB
- MD5
  
  648c7283545b0b428dfcfa6956dc0d50
- SHA1
  
  597dfd397c613689df8de58a25db1293b38d342b
- SHA256
  
  72ddcbe3b2e8d2dba87b8bb2a925f50209610f3e74876cd82234c35c6f6eb217
- SHA512
  
  cfc1a89c6ea01e2f16d6aa943bc8bf23ff403e7de1feb1ed6ba5c2317a97a94f744122ba45ed7ee65d746ceb5806d9998343d6eddec7c365d4f72d4f115b108f
Score

10^/10
- Loads dropped DLL
behavioral3 behavioral4
- Target
  
  PO#220025.docm
- Size
  
  183KB
- MD5
  
  1f0bb5ba46fc90ad459950a93448487e
- SHA1
  
  5d5935d58c8b4c6e95763ae78915c27ad4130c17
- SHA256
  
  23e18fcb839648044da97fbe8b9e71c4d71a93dce69477b078c37cb2224ac505
- SHA512
  
  1a9ab2c37b2f87610d2d8086247736f9cb3391d5ce7c9421ab48662fa583f80cea8bca488b212e4b52da90fecf8385b5f853650e5ea0b30b57351e9ecaa7a685
- SSDEEP
  
  3072:FBqWZUGD/xAXvNfzE3RIg+Z+ydoLmnUew+oM/ddl8DSVurVq6jw9Vgw:vqWZFDpA1E3+x/Pw+h/7URqD9Vx
Score

4^/10
behavioral5 behavioral6
- Target
  
  PO#220067.docx
- Size
  
  141KB
- MD5
  
  274e1c029e66a8c6d080584e5aa7db53
- SHA1
  
  78583f54ab80639eb2faa42b8370f4ec6959d134
- SHA256
  
  028ad66f6323a5e263cd0cc5e6bae04a1d2b369a8053b0e8253479b67d6a2e53
- SHA512
  
  73adc762828db846f4869057a360c8ae7213f239d7e1068b14ed95db280589727fc4055091c3f132662d93d42075ac49f6ef5fecaaefa6ac6a552542fac9749d
- SSDEEP
  
  3072:2yjbsqr5gIDOjKbl0BYmd7xkgYD668ica/3gsEbVq6jw9Vgf:rjY86juoYqij4OgsyqD9Vi
Score

4^/10
behavioral7 behavioral8
- Target
  
  PO#specification803.xll
- Size
  
  4KB
- MD5
  
  7e2b190d39c3d417b129c5bb21f5e176
- SHA1
  
  deda904f8dd3467b66abe76435ee91e2ee22f985
- SHA256
  
  7a203040bb91452e8c22699e9ea5ad344c60845260b4b2614f335a8f4a460d76
- SHA512
  
  9028112dd7711670e09a3b4c09a581c768eb73ad4a180f50a35a3444e8c881f48eaf044b92640330de23783e2071bff24c54f41518a02ab900f807b36e69915b
- SSDEEP
  
  96:Z1ui+ZpnCnxU5QozJinl2Y8lTJRJarnWHfIfc:L+ZpnCnxUqbIRJmW/L
Score

10^/10
- Loads dropped DLL
behavioral10 behavioral9
- Target
  
  PO#specification891.pptm
- Size
  
  273KB
- MD5
  
  339ab119012f18b6fc008c08198f4f53
- SHA1
  
  9d60648226656cfd2e3c07cf2d267923ea4fb768
- SHA256
  
  94488e105fcd56a4f71e8a308e4df2cdcb9bd913ccacd64eb1ea46498fedad6e
- SHA512
  
  c819ea74428cb59e7185339dc4d55d5f58a5195e4c0b0de366536c855d334319e906f21ad9d4ec60d36a512bc0580e4a4e64cb43fd3c28e4f316afea81ba3819
- SSDEEP
  
  6144:vq/3vL+/OksitzOnOvzDTI2KBtHkKMrLmWEqp/hXMLv2kHHxq9IKdfpzK:vc3vLFZ1OvvYBtUYqp/2Lv2oYdbm
Score

1^/10
behavioral11 behavioral12
- Target
  
  Sample#573.rtf
- Size
  
  104KB
- MD5
  
  675d971b843af96403efec6a61d5a3f7
- SHA1
  
  1b870415d1e186b7dd7335e4456a4fc4e3dd671f
- SHA256
  
  02372b68005ed25c157b4c39afc01e6244182d3b33631157668ecbc17b01f091
- SHA512
  
  e299a3f92c53743a957a41bac73b534c61fbd294f94aa2cc714cc849461dfc1ee065cb549a8a87774714f112121c8bdd69846d4f5c58b3bcb8fac0a6c2d356b0
- SSDEEP
  
  1536:Y9/MQZ4Tvb4jKFty2dNvb4jKFty2BcPvb4jKFty2I:YB2nyKFt7ZyKFtQLyKFtO
Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
behavioral13 behavioral14
- Target
  
  otxnow.dotx
- Size
  
  180KB
- MD5
  
  7a9276d0f59d6fe7cf6f85a3bdec633e
- SHA1
  
  d9c3f2c90a8fd04964d885377c3e165bda664003
- SHA256
  
  bfb0f18485124995d40294ed8cd3f2c74ec4ff40aecd9b7507a8b03d09bf98a6
- SHA512
  
  e65b120fadde96528a17c31a54e574a9cb6314dc1fc5a903daf94c241150c7d32510617b583e2ec761410f3273b85a3c656a13853585490fcd8b2dcdba0d9e41
- SSDEEP
  
  3072:u7D/xA9vNU69piDDxr45O4ALFWa6FD7r1inEnBKh+4PEPAmFVq6jw9VgF:gDpyRiDZ4Y4udeP1inQhiE4mrqD9Vk
Score

4^/10
behavioral15 behavioral16
- Target
  
  pptxnow.pptx
- Size
  
  438KB
- MD5
  
  54ed3c2e86e99a8faf0d14ca580f97a2
- SHA1
  
  aaf7c4b2fe00ed3b4e0f3e2553fe06db7d330169
- SHA256
  
  93334a89b5fcb577239a01e4204205499b85ccbebbbbea61673cd46dde97efd8
- SHA512
  
  dea3d33ee5f606e32e6488c53856a282bf4fa051871513ca8d3be2ffb51c5214ff962298963ab464f9f29348657c5d3e105eafa3a5139adf6d47b6281e2b1aa8
- SSDEEP
  
  12288:AyS6KISpqOinFXpo+qZc8s4CjC4Xt7UycIKKsT3:AP7Iwjijqu9/CCoz3
Score

1^/10
behavioral17 behavioral18

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Targets

Loads dropped DLL

Loads dropped DLL

Loads dropped DLL

Process spawned unexpected child process

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Accesses Microsoft Outlook profiles

Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18