agenttesla | 65e6187f39c04791495ee9f6ab7789e14d8af67cc60f46e3f4ae645fcd1e3745 | Triage

Submit
Reports

Overview

overview

Static

static

UPDATED ORDER.docx

windows7-x64

UPDATED ORDER.docx

windows10-2004-x64

1

Sharing

General

Target

UPDATED ORDER.docx.zip
Size

7KB
Sample

230217-ngbzcafb57
MD5

d470a79f079cb5b9facc1d39616f1c7b
SHA1

8b509770aa35b97e15bc6c52d722348bd123adc2
SHA256

65e6187f39c04791495ee9f6ab7789e14d8af67cc60f46e3f4ae645fcd1e3745
SHA512

e830f2b754ffc0a42c629cd08d158493306234db30277963b297ed81729492cfd92abe5512ece5d543e00faa67bfb07f4a1007eb4f1b397a317e8d8632c0eb49
SSDEEP

192:toz4wfx7sWM7Ziu5rr4pYJqBd/bWuImgHL6HKY06w4tkIhOd:i4Ix7sWM7Zdr4UiNlTgWq14t8

Score

10^/10

agenttesla keylogger spyware stealer trojan websettings

Static task

static1

Behavioral task

behavioral1

Sample

UPDATED ORDER.docx

Resource

win7-20220812-en

agenttesla keylogger spyware stealer trojan

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

UPDATED ORDER.docx

Resource

win10v2004-20221111-en

windows10-2004-x64

5 signatures

150 seconds

Malware Config

Extracted

Rule

Microsoft Office WebSettings Relationship

C2

http:/QQQQWWWWQWWWWQWWQWQWQWQQWQWQQWQWQWQWQWQWQWQQQQQQQQOQQQQQOOOOOOOOQOQQQQOQOQOQOQOQOQQWWWWQWQWQWQWQWQWQWQWQQWQ@3118348624/O_O.DOC

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/sendDocument

Targets

- Target
  
  UPDATED ORDER.docx
- Size
  
  10KB
- MD5
  
  045c9a932ad454a9c226e146d761b284
- SHA1
  
  eba9136f2eb1eef380b1dcdd3745f3ddb3631613
- SHA256
  
  59087ec2fbf8340268cd3aeeed9e4f3bd107cd2c1852a074f38e3723dfa7cf00
- SHA512
  
  19fc83fcdee224b4e64a5b333ce732a1bdbc8c086ac2d41a26e00c77dbf6bc22c34637936d8acf1cac4bc0a67ac3012713f432ce147a6137b13382a57579380b
- SSDEEP
  
  192:ScIMmtP5hG/b7XN+eO4DAO+5+5F7Jar/YEChI3nPV:SPXRE7XtO4DA7wtar/YECOnN
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla payload
- Blocklisted process makes network request
- Downloads MZ/PE file
- Abuses OpenXML format to download file from external location
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

agentteslakeyloggerspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy