agenttesla | 512041d2cf26aa8cdd11e5c0edd3a5047e887d18204e554875026ae850a49ffe | Triage

Submit
Reports

Overview

overview

Static

static

31072022-2.exe

windows7-x64

31072022-2.exe

windows10-2004-x64

7

Sharing

General

Target

31072022-2.exe
Size

757KB
Sample

221208-h7tn7acc3s
MD5

865ffbbf9721906c2f4802622261d34c
SHA1

04c04fb395f15820a5b22b6a5d0b377d04d95f98
SHA256

512041d2cf26aa8cdd11e5c0edd3a5047e887d18204e554875026ae850a49ffe
SHA512

84077e4b14367d5198b1d43a89963313395569fc3996dde3d04b693aabeccb0ae4dd055f7b51d5111e261ebde5d5188d2cff5dd4b6ed7606afa12ee538805c09
SSDEEP

12288:8wlhmomPZefBT2BRF0DKTNOJrKvG4R+0/kkUpsixfmAWwPtqvyuP/F:IomxiBT2BRF0CNO0vb+kUp5nnQFXF

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

31072022-2.exe

Resource

win7-20221111-en

agenttesla keylogger persistence spyware stealer trojan

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

31072022-2.exe

Resource

win10v2004-20221111-en

windows10-2004-x64

6 signatures

150 seconds

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot1611551445:AAFDJ3yQMlB3zXJGib2_TFkq1jedBMj3GTw/sendDocument

Targets

- Target
  
  31072022-2.exe
- Size
  
  757KB
- MD5
  
  865ffbbf9721906c2f4802622261d34c
- SHA1
  
  04c04fb395f15820a5b22b6a5d0b377d04d95f98
- SHA256
  
  512041d2cf26aa8cdd11e5c0edd3a5047e887d18204e554875026ae850a49ffe
- SHA512
  
  84077e4b14367d5198b1d43a89963313395569fc3996dde3d04b693aabeccb0ae4dd055f7b51d5111e261ebde5d5188d2cff5dd4b6ed7606afa12ee538805c09
- SSDEEP
  
  12288:8wlhmomPZefBT2BRF0DKTNOJrKvG4R+0/kkUpsixfmAWwPtqvyuP/F:IomxiBT2BRF0CNO0vb+kUp5nnQFXF
Score

10^/10

agenttesla keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla payload
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

agentteslakeyloggerpersistencespywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy