agenttesla | c730d9043cb5bd6d4152a91ceb0efa5af74d00510f73ef536467f2ee7f133809 | Triage

Submit
Reports

Overview

overview

Static

static

1

c730d9043c...09.exe

windows7-x64

7

c730d9043c...09.exe

windows10-2004-x64

Sharing

General

Target

c730d9043cb5bd6d4152a91ceb0efa5af74d00510f73ef536467f2ee7f133809.exe
Size

1.7MB
Sample

230206-rrve8aec79
MD5

f0b6cd86a2a88851836dc68b9d6e5995
SHA1

14e3b625bf2572fe6c7923392774adafbbb365bb
SHA256

c730d9043cb5bd6d4152a91ceb0efa5af74d00510f73ef536467f2ee7f133809
SHA512

c10a2ec7b34f575513afbf3355fd534027879fde0ab5cc2ec32c80bc0164e328044ab12249f94b7594cab6d3099578bdc1209be6f0052b1540e4e774b48fad2a
SSDEEP

24576:/svHDgmT4k5ivRI/4RelcQ/dqFR/X5YTuXzkyLP0L+YFjX1twx+ILNl5YGZx:/2Dp4umRI/Vl3VwYqXIMO+SQocNx

Score

10^/10

agenttesla rhadamanthys collection keylogger spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

c730d9043cb5bd6d4152a91ceb0efa5af74d00510f73ef536467f2ee7f133809.exe

Resource

win7-20221111-en

windows7-x64

8 signatures

150 seconds

Behavioral task

behavioral2

Sample

c730d9043cb5bd6d4152a91ceb0efa5af74d00510f73ef536467f2ee7f133809.exe

Resource

win10v2004-20221111-en

agenttesla rhadamanthys collection keylogger spyware stealer trojan

windows10-2004-x64

21 signatures

150 seconds

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.clipjoint.co.nz
Port:
587
Username:
[email protected]
Password:
melandloz64

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.clipjoint.co.nz
Port:
587
Username:
[email protected]
Password:
melandloz64
Email To:
[email protected]

Targets

- Target
  
  c730d9043cb5bd6d4152a91ceb0efa5af74d00510f73ef536467f2ee7f133809.exe
- Size
  
  1.7MB
- MD5
  
  f0b6cd86a2a88851836dc68b9d6e5995
- SHA1
  
  14e3b625bf2572fe6c7923392774adafbbb365bb
- SHA256
  
  c730d9043cb5bd6d4152a91ceb0efa5af74d00510f73ef536467f2ee7f133809
- SHA512
  
  c10a2ec7b34f575513afbf3355fd534027879fde0ab5cc2ec32c80bc0164e328044ab12249f94b7594cab6d3099578bdc1209be6f0052b1540e4e774b48fad2a
- SSDEEP
  
  24576:/svHDgmT4k5ivRI/4RelcQ/dqFR/X5YTuXzkyLP0L+YFjX1twx+ILNl5YGZx:/2Dp4umRI/Vl3VwYqXIMO+SQocNx
Score

10^/10

agenttesla rhadamanthys collection keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect rhadamanthys stealer shellcode
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

agentteslarhadamanthyscollectionkeyloggerspywarestealertrojan

© 2018-2024

Terms | Privacy