agenttesla | 45c80bfc78f3864e69056d98e91847c0da257e05469f1538978aa6e844f49224 | Triage

Submit
Reports

Overview

overview

Static

static

productXsp...s.docx

windows7-x64

productXsp...s.docx

windows10-2004-x64

1

Sharing

General

Target

productXspecifications.docx
Size

10KB
Sample

230215-kyyb5abb67
MD5

a54faaf77e243d002a066ed24194f186
SHA1

4f7ec24108e808a8ee6cbf77e2f1f760afc19dbe
SHA256

45c80bfc78f3864e69056d98e91847c0da257e05469f1538978aa6e844f49224
SHA512

6f5bf069c2ba67da690b4f1ed5798a69f410980f0e838c6fe24c9b616292adc8a1d0ffe989e35fd5b50898f89f43450827097b2cefb787583869ea6f9cdfc275
SSDEEP

192:ScIMmtP5hG/b7XN+eOSFbO+5+5F7Jar/YEChI3hBt:SPXRE7XtOa7wtar/YECOF

Score

10^/10

agenttesla collection keylogger spyware stealer trojan websettings

Static task

static1

Behavioral task

behavioral1

Sample

productXspecifications.docx

Resource

win7-20220812-en

agenttesla collection keylogger spyware stealer trojan

windows7-x64

24 signatures

150 seconds

Behavioral task

behavioral2

Sample

productXspecifications.docx

Resource

win10v2004-20221111-en

windows10-2004-x64

5 signatures

150 seconds

Malware Config

Extracted

Rule

Microsoft Office WebSettings Relationship

C2

http:/QQQQWWWWQWWWWQWWQWQWQWQQWQWQQWQWQWQWQWQWQWQQQQQQQQOQQQQQOOOOOOOOQOQQQQOQOQOQOQOQOQQWWWWQWQWQWQWQWQWQWQWQQWQ@1806682775/OO.DOC

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
lawsaman@steveboi.com
Password:
!Gphfth8
Email To:
lawsaman@steveboi.com

Targets

- Target
  
  productXspecifications.docx
- Size
  
  10KB
- MD5
  
  a54faaf77e243d002a066ed24194f186
- SHA1
  
  4f7ec24108e808a8ee6cbf77e2f1f760afc19dbe
- SHA256
  
  45c80bfc78f3864e69056d98e91847c0da257e05469f1538978aa6e844f49224
- SHA512
  
  6f5bf069c2ba67da690b4f1ed5798a69f410980f0e838c6fe24c9b616292adc8a1d0ffe989e35fd5b50898f89f43450827097b2cefb787583869ea6f9cdfc275
- SSDEEP
  
  192:ScIMmtP5hG/b7XN+eOSFbO+5+5F7Jar/YEChI3hBt:SPXRE7XtOa7wtar/YECOF
Score

10^/10

agenttesla collection keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Blocklisted process makes network request
- Downloads MZ/PE file
- Abuses OpenXML format to download file from external location
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

agentteslacollectionkeyloggerspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy