agenttesla | aa800b27b3afb0ee91b9800f73a01a0c26156ee010032c8df84b415393804d14 | Triage

Submit
Reports

Overview

overview

Static

static

aa800b27b3...14.xls

windows7-x64

aa800b27b3...14.xls

windows10-2004-x64

1

Sharing

General

Target

aa800b27b3afb0ee91b9800f73a01a0c26156ee010032c8df84b415393804d14.xls
Size

813KB
Sample

221201-tyaqhaff52
MD5

5232ce0c0be5464c2b8798dec6189316
SHA1

4a10e8fec837c4959cc01a97a83d1fe62e5a45c2
SHA256

aa800b27b3afb0ee91b9800f73a01a0c26156ee010032c8df84b415393804d14
SHA512

38503ea80fb508d58cb22301fb4780653feacd5fb6de78bba7cc7ecff1733843de81398240408281fa3a01fedad2d64c968e7169a8c75dbd8c0a8cbebbc775d8
SSDEEP

24576:52Br5XXXXXXXXXXXXUXXXXXXXSXXXXXXXXWmGr5XXXXXXXXXXXXUXXXXXXXSXXXO:15V

Score

10^/10

agenttesla keylogger spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

aa800b27b3afb0ee91b9800f73a01a0c26156ee010032c8df84b415393804d14.xls

Resource

win7-20220901-en

agenttesla keylogger spyware stealer trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

aa800b27b3afb0ee91b9800f73a01a0c26156ee010032c8df84b415393804d14.xls

Resource

win10v2004-20221111-en

windows10-2004-x64

0 signatures

150 seconds

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/sendDocument

Targets

- Target
  
  aa800b27b3afb0ee91b9800f73a01a0c26156ee010032c8df84b415393804d14.xls
- Size
  
  813KB
- MD5
  
  5232ce0c0be5464c2b8798dec6189316
- SHA1
  
  4a10e8fec837c4959cc01a97a83d1fe62e5a45c2
- SHA256
  
  aa800b27b3afb0ee91b9800f73a01a0c26156ee010032c8df84b415393804d14
- SHA512
  
  38503ea80fb508d58cb22301fb4780653feacd5fb6de78bba7cc7ecff1733843de81398240408281fa3a01fedad2d64c968e7169a8c75dbd8c0a8cbebbc775d8
- SSDEEP
  
  24576:52Br5XXXXXXXXXXXXUXXXXXXXSXXXXXXXXWmGr5XXXXXXXXXXXXUXXXXXXXSXXXO:15V
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla payload
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslakeyloggerspywarestealertrojan

behavioral2

© 2018-2025

Terms | Privacy