agenttesla | 0cfb6932e490ea78f85fcd57fc9bda95f274867dfd0dbcb3515bb1f7009626b4 | Triage

Submit
Reports

Overview

overview

Static

static

PO-04375KTG.vbs

windows7-x64

PO-04375KTG.vbs

windows10-2004-x64

7

Sharing

General

Target

PO-04375KTG.vbs
Size

313KB
Sample

221206-htan6adf25
MD5

92cf45fd34496ac41434463f0d02f4a0
SHA1

d5027385be35f4ac68b622aa993b9a568ac16ac4
SHA256

0cfb6932e490ea78f85fcd57fc9bda95f274867dfd0dbcb3515bb1f7009626b4
SHA512

80597f875019d1fc4ff7999de22c355309bc15cde17195ada4bc4be5501240c84a82e8e657446684a8ac4de3b26af5e04121abe6cb98fdcb4f610163fb6f176b
SSDEEP

6144:x+YqqUnWShek49zVzVi+9/Pwy/4qXeV0b6bEWAChB/BpKhp69:50Tl43zViQFeuriB/B2U

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

PO-04375KTG.vbs

Resource

win7-20220901-en

agenttesla collection keylogger spyware stealer trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

PO-04375KTG.vbs

Resource

win10v2004-20221111-en

windows10-2004-x64

6 signatures

150 seconds

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.trualliant.com
Port:
587
Username:
[email protected]
Password:
trualliant123
Email To:
[email protected]

Targets

- Target
  
  PO-04375KTG.vbs
- Size
  
  313KB
- MD5
  
  92cf45fd34496ac41434463f0d02f4a0
- SHA1
  
  d5027385be35f4ac68b622aa993b9a568ac16ac4
- SHA256
  
  0cfb6932e490ea78f85fcd57fc9bda95f274867dfd0dbcb3515bb1f7009626b4
- SHA512
  
  80597f875019d1fc4ff7999de22c355309bc15cde17195ada4bc4be5501240c84a82e8e657446684a8ac4de3b26af5e04121abe6cb98fdcb4f610163fb6f176b
- SSDEEP
  
  6144:x+YqqUnWShek49zVzVi+9/Pwy/4qXeV0b6bEWAChB/BpKhp69:50Tl43zViQFeuriB/B2U
Score

10^/10

agenttesla collection keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Blocklisted process makes network request
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

agentteslacollectionkeyloggerspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy