agenttesla | 3b45aa04b89fb0138eb6e1854a34ab8f9fa1e1c22cdb504ee789d7358083452b | Triage

Sharing

Copy URL Twitter E-mail

General

Target

3b45aa04b89fb0138eb6e1854a34ab8f9fa1e1c22cdb504ee789d7358083452b
Size

799KB
Sample

230213-c4l72sac66
MD5

67dfa246512220298042e1826309d5c3
SHA1

73eb07fadfcc1d9c5b4ead9079e0b75647801c31
SHA256

3b45aa04b89fb0138eb6e1854a34ab8f9fa1e1c22cdb504ee789d7358083452b
SHA512

3006d90ced7d528302c2246282850652539be06bd32ca48e09b4c9cf954e4d85a39a6bc307f943bd17851e175b373490b60fc2c663ad0d9631eefecf9fab2c3d
SSDEEP

12288:Mgud7wHPfivNP6bPS502hAyigJLD3lOX3mrd9GOMnWiAQ+Sl:MxS6Nh5D5RDRrd9sX

Score

10^/10

agenttesla collection evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.mktron.in
Port:
587
Username:
[email protected]
Password:
VZZUQXTDyMCZ
Email To:
[email protected]

Targets

- Target
  
  3b45aa04b89fb0138eb6e1854a34ab8f9fa1e1c22cdb504ee789d7358083452b
- Size
  
  799KB
- MD5
  
  67dfa246512220298042e1826309d5c3
- SHA1
  
  73eb07fadfcc1d9c5b4ead9079e0b75647801c31
- SHA256
  
  3b45aa04b89fb0138eb6e1854a34ab8f9fa1e1c22cdb504ee789d7358083452b
- SHA512
  
  3006d90ced7d528302c2246282850652539be06bd32ca48e09b4c9cf954e4d85a39a6bc307f943bd17851e175b373490b60fc2c663ad0d9631eefecf9fab2c3d
- SSDEEP
  
  12288:Mgud7wHPfivNP6bPS502hAyigJLD3lOX3mrd9GOMnWiAQ+Sl:MxS6Nh5D5RDRrd9sX
Score

10^/10

agenttesla collection evasion keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslacollectionevasionkeyloggerpersistencespywarestealertrojan

behavioral2

agentteslacollectionevasionkeyloggerpersistencespywarestealertrojan