agenttesla

General

Target

Scan20221216192254.exe
Size

1.4MB
Sample

221216-kjcrwaed77
MD5

876f5f878fc3f716cd877443ee68f7e3
SHA1

35a223eadf77e713de0f6a7951fdb32ec5a48973
SHA256

dfa31b84bc2fc462da90b7f1a13c30ef92965ceeb06db45879a5443ea0d99920
SHA512

3bc2f3a97613d054261086d0c1e83dab9237717142ac7d3ffe91ca5e918f73f0cf57b53e86aa1b4170c5bc4794c661fd079217d9e8150f7a942dde4e43dc6e83
SSDEEP

12288:OixF+mYOpvTDg1Hoz+JE2QsO4BeylBqN6hFfX05M1pDUQDoC+v5c+JQZ24146/PQ:rCEHsOzj4j85M1hUQDAxzJX4vgkW

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

ThirdClients

C2

79.134.225.97:1558

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
appsync.exe
copy_folder
Appsync
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Appsync
keylog_path
%AppData%
mouse_option
false
mutex
Appsync-00ARH2
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Appsync
take_screenshot_option
true
take_screenshot_time
55
take_screenshot_title
mail;webmail;crypto;btc;ethereum;bitcoin;eth;outlook;foxmail;bank;email;compose;

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5169304639:AAEuGpfCL-hv_A-RdB_r9uRMHt_yvJZb2Z8/

Targets

- Target
  
  Scan20221216192254.exe
- Size
  
  1.4MB
- MD5
  
  876f5f878fc3f716cd877443ee68f7e3
- SHA1
  
  35a223eadf77e713de0f6a7951fdb32ec5a48973
- SHA256
  
  dfa31b84bc2fc462da90b7f1a13c30ef92965ceeb06db45879a5443ea0d99920
- SHA512
  
  3bc2f3a97613d054261086d0c1e83dab9237717142ac7d3ffe91ca5e918f73f0cf57b53e86aa1b4170c5bc4794c661fd079217d9e8150f7a942dde4e43dc6e83
- SSDEEP
  
  12288:OixF+mYOpvTDg1Hoz+JE2QsO4BeylBqN6hFfX05M1pDUQDoC+v5c+JQZ24146/PQ:rCEHsOzj4j85M1hUQDAxzJX4vgkW
Score

10^/10

agenttesla remcos thirdclients collection keylogger persistence rat spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Modifies WinLogon for persistence
  persistence
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Email Collection

2

T1114

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Extracted

Targets

Modifies WinLogon for persistence

Remcos

NirSoft MailPassView

NirSoft WebBrowserPassView

Nirsoft

Executes dropped EXE

Loads dropped DLL

Accesses Microsoft Outlook accounts

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2