agenttesla | 278837977440d7f70135fa867391e3018fc871e3bfa50e22549db5acc6240afa | Triage

Sharing

General

Target

samples.zip
Size

670KB
Sample

221129-gkq44sef8w
MD5

59e4d70fa46fc9ab83baef40caff18e7
SHA1

fc2e2b0bc5e63ef860a51edb360995c8f51e5f10
SHA256

278837977440d7f70135fa867391e3018fc871e3bfa50e22549db5acc6240afa
SHA512

2e5ab6240ca137357c020033c6517e38fe1f553f66f3bca11b2e3dfd4ba9719242eb8eb9017ec45eac83a8417886ce3c04118f04b1cd310f01ffff5e21e9c35a
SSDEEP

12288:uJCf+xlV0SWDTvyewOmMKfP13Lucpjz5/lG6cqZ1921LC6SFPkux+KRv2qYifE:Y+Ke6BLlQEmePPdOqYic

Score

10^/10

agenttesla microsoft collection keylogger persistence phishing spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
magic4magic@yandex.com
Password:
magic123

Targets

- Target
  
  0d9e5116c1da200fa3a55c84ca2195eb7bbbd1e1
- Size
  
  334KB
- MD5
  
  584b853e5f597883fb56cc5e879d8a3d
- SHA1
  
  0d9e5116c1da200fa3a55c84ca2195eb7bbbd1e1
- SHA256
  
  a73fd985f5f38ff58dc3112bc46d7e81190bad5567220cf46efe5608c4e307f0
- SHA512
  
  88b7f8c6fb7f9a19bbb9eb818cdbc51a3e95c25ba890eaf95576a3a9dd81ab7fbce5ef5bced6dbe16ff731e70c157f17276681fcd00205d280d1ec12bd6eea55
- SSDEEP
  
  6144:UmdOCKkkGBQOItDWaCjsjj9TB91goSjUOp0NMzh3HnzLkYvsbB:rdvkGBjADt8LtV8kn
Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2
- Target
  
  203dd97848f29e54a66e575ae670288e8fd4a5a7
- Size
  
  14KB
- MD5
  
  4ff69b632636d5873a72d8b9e5f49363
- SHA1
  
  203dd97848f29e54a66e575ae670288e8fd4a5a7
- SHA256
  
  91f3be1a3664e2df90205b238a162b2686039597796066598bb9c0fe6b42fc8d
- SHA512
  
  a47e196f33c6cd2d6fe1a770b6dee4988229cb9662d87783c726a25b948f47907ff0aa6c91dbd6c36f3a3c747396603c3f9f96606b4ac4607c11a1516833122e
- SSDEEP
  
  384:o7my13Huv7D6H28j7A4qtCtSrvyhkghaSH94Fwuxd:6z3ujD6H28qCtQSH9Ad
Score

6^/10

microsoft persistence phishing
- Adds Run key to start application
  persistence
- Detected potential entity reuse from brand microsoft.
  phishing microsoft
behavioral3 behavioral4
- Target
  
  5d2a9e82b6098813fa230152de286f7712b5608f
- Size
  
  333KB
- MD5
  
  c1dfee07e576cc6c114bbe662788fe3a
- SHA1
  
  5d2a9e82b6098813fa230152de286f7712b5608f
- SHA256
  
  97dd39be1fa39f6c492968185bca20892db1d22b3b04ee8241d59da511bcfa28
- SHA512
  
  da947d5aac7a02b2731ed484941ce584d6002e27ebccfa51e37fddb2aa90351a2aaac9d86af4c53f4c28a77350e360bf6d025f589eabe3c06b49ef96361067ec
- SSDEEP
  
  6144:BFhd/LDhzE9ztQYkYk/DOSJ22QGw4c3SGg6eYvqbW:5d/HG0YNSJ22mL7
Score

7^/10

collection spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
behavioral5 behavioral6
- Target
  
  686e84d074c115785122ad304357729b28b4a54d
- Size
  
  452KB
- MD5
  
  a577f13733cb61a74f72b2c79a46e6cd
- SHA1
  
  686e84d074c115785122ad304357729b28b4a54d
- SHA256
  
  7316ca7e61a4a4e0c31aa87ee8ab68208befd090934f5d60e8932e6f2d73ea18
- SHA512
  
  1f116acabad277bad0e54b5069d0e4a53ab67d10909651d7db114f36af7b949d7dd072228033ff3df9ecdb8d83ade0392a9d3f0d0cd4dc94fbdfd1489ce5c233
- SSDEEP
  
  6144:qigNTXNVL4S6IFhd/LDhzE9ztQYkYk/DOSJ22QGw4c3SGg6eYvqbW:JgNT7Oid/HG0YNSJ22mL7
Score

1^/10
behavioral7 behavioral8
- Target
  
  ae30d28b17fbce8e55203ad863c40bab8fe802a3
- Size
  
  14KB
- MD5
  
  1ac8b9de402661ccd077fd4a8a0ce04e
- SHA1
  
  ae30d28b17fbce8e55203ad863c40bab8fe802a3
- SHA256
  
  5b97d70b1c2057207234a32f59e60e341b61204f215b63d9d849d11f6d186e55
- SHA512
  
  1845745b17c47c7f8e5349a12cd7cd99cf70e558ebec0addc7a298fe9aac4f5528c2c848b5aa63f0fef4d0bef4d7d90600ee1b112e95d8b0b88b6716f468b40c
- SSDEEP
  
  384:Y+Um+OJbooSE325j7V81cwLCza/0ejFkXha1H94l5Z1V:FkOJbPSw25NGCza/08j1H9qZz
Score

6^/10

microsoft persistence phishing
- Adds Run key to start application
  persistence
- Detected potential entity reuse from brand microsoft.
  phishing microsoft
behavioral10 behavioral9

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

agentteslacollectionkeyloggerpersistencespywarestealertrojan

behavioral2

agentteslacollectionkeyloggerpersistencespywarestealertrojan

behavioral3

behavioral4

microsoftpersistencephishing

behavioral5

collectionspywarestealer

behavioral6

collectionspywarestealer

behavioral7

behavioral8

behavioral9

behavioral10

microsoftpersistencephishing