agenttesla | 532f654c0356db6de0e2b4d949afc2186b8055d35f9ea262eea09a4408cc3185 | Triage

Submit
Reports

Overview

overview

Static

static

SOA.docx

windows7-x64

SOA.docx

windows10-2004-x64

1

Sharing

General

Target

SOA.docx
Size

10KB
Sample

230309-gchsrshf71
MD5

acdde6c86a6da4bc93805cd855022b1c
SHA1

512ccadb3c7ea94b29171ef5dc00c149621472ca
SHA256

532f654c0356db6de0e2b4d949afc2186b8055d35f9ea262eea09a4408cc3185
SHA512

9400d0a8a9589e8e136f6a63c660445f3425666a53581b3fda3d7c603996bc737e7fde746a886fa2532fed6ae7f7abda0205a7c1deaa561071fee847c4720782
SSDEEP

192:ScIMmtP1aIG/bslPL++uOfNl+CVWBXJC0c3g5R:SPXU/slT+LOfNHkZC9gL

Score

10^/10

agenttesla collection keylogger spyware stealer trojan websettings

Static task

static1

Behavioral task

behavioral1

Sample

SOA.docx

Resource

win7-20230220-en

agenttesla collection keylogger spyware stealer trojan

windows7-x64

21 signatures

150 seconds

Behavioral task

behavioral2

Sample

SOA.docx

Resource

win10v2004-20230220-en

windows10-2004-x64

5 signatures

150 seconds

Malware Config

Extracted

Rule

Microsoft Office WebSettings Relationship

C2

http://yyyyyYYYYUUSUUUUUUU3243242UUU23U423U4UU2UWWWWW8W8W7W8WWWWWWW878W8W8WW78WWWW87W87W88WEEW787888W88W8W@392095676/79.79.79.doc

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5940813834:AAF8mKehOQ2jtgluy4NISP8DYRvxgz__xCQ/

Targets

- Target
  
  SOA.docx
- Size
  
  10KB
- MD5
  
  acdde6c86a6da4bc93805cd855022b1c
- SHA1
  
  512ccadb3c7ea94b29171ef5dc00c149621472ca
- SHA256
  
  532f654c0356db6de0e2b4d949afc2186b8055d35f9ea262eea09a4408cc3185
- SHA512
  
  9400d0a8a9589e8e136f6a63c660445f3425666a53581b3fda3d7c603996bc737e7fde746a886fa2532fed6ae7f7abda0205a7c1deaa561071fee847c4720782
- SSDEEP
  
  192:ScIMmtP1aIG/bslPL++uOfNl+CVWBXJC0c3g5R:SPXU/slT+LOfNHkZC9gL
Score

10^/10

agenttesla collection keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Blocklisted process makes network request
- Downloads MZ/PE file
- Abuses OpenXML format to download file from external location
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

agentteslacollectionkeyloggerspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy