agenttesla | 23311a11d65e655d55d07d9db638fe865e36b1ef5ba022936678d076ca9f134b | Triage

Submit
Reports

Overview

overview

Static

static

rfq_items_...0.docx

windows7-x64

rfq_items_...0.docx

windows10-2004-x64

1

Sharing

General

Target

rfq_items_order_purchase_quotation_30012023000000000000.docx.doc
Size

10KB
Sample

230130-j6pvaabc8t
MD5

9136352a3a3208e5b87191b93eebff30
SHA1

ed48bacf8eec9fb8bae959b8c5cd084f0b545a68
SHA256

23311a11d65e655d55d07d9db638fe865e36b1ef5ba022936678d076ca9f134b
SHA512

e1bd869cb02d2c2e6ed7dcc24648deaccac96a830d93681c6399a2cb3a43fec94355aad8d6169d84bcc433ce3380ae3a17e6dbae5388e7de1264b02d03a87d1c
SSDEEP

192:ScIMmtP5hG/b7XN+eOtWO+5+5F7Jar/YEChI3yZ:SPXRE7XtO47wtar/YECOO

Score

10^/10

agenttesla collection keylogger spyware stealer trojan websettings

Static task

static1

Behavioral task

behavioral1

Sample

rfq_items_order_purchase_quotation_30012023000000000000.docx

Resource

win7-20221111-en

agenttesla collection keylogger spyware stealer trojan

windows7-x64

22 signatures

150 seconds

Behavioral task

behavioral2

Sample

rfq_items_order_purchase_quotation_30012023000000000000.docx

Resource

win10v2004-20220812-en

windows10-2004-x64

5 signatures

150 seconds

Malware Config

Extracted

Rule

Microsoft Office WebSettings Relationship

C2

http://dgdfghfjfghfghfghgfhfghfgsdgfggdfgdfgertdfgdfgdfg@3221452429/g.doc

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5672966801:AAGkdauVLuRijg4BBwGbZ-5sO2ggBTSZUHE/

Targets

- Target
  
  rfq_items_order_purchase_quotation_30012023000000000000.docx.doc
- Size
  
  10KB
- MD5
  
  9136352a3a3208e5b87191b93eebff30
- SHA1
  
  ed48bacf8eec9fb8bae959b8c5cd084f0b545a68
- SHA256
  
  23311a11d65e655d55d07d9db638fe865e36b1ef5ba022936678d076ca9f134b
- SHA512
  
  e1bd869cb02d2c2e6ed7dcc24648deaccac96a830d93681c6399a2cb3a43fec94355aad8d6169d84bcc433ce3380ae3a17e6dbae5388e7de1264b02d03a87d1c
- SSDEEP
  
  192:ScIMmtP5hG/b7XN+eOtWO+5+5F7Jar/YEChI3yZ:SPXRE7XtO47wtar/YECOO
Score

10^/10

agenttesla collection keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Abuses OpenXML format to download file from external location
- Loads dropped DLL
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

agentteslacollectionkeyloggerspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy