agenttesla | dc0b46a0add517f632937b605ff9d0820f8fefaf1e886c1ad3d0054d50a2a53e | Triage

Submit
Reports

Overview

overview

Static

static

1

BANK SWIFT.xls

windows7-x64

BANK SWIFT.xls

windows10-2004-x64

1

Sharing

General

Target

BANK SWIFT.xls
Size

169KB
Sample

230316-tryhzsbg37
MD5

de538eed80d8fd3d08ca320457cc5fef
SHA1

3880dcaebb4805aa968c118ceabc351d18ed27df
SHA256

dc0b46a0add517f632937b605ff9d0820f8fefaf1e886c1ad3d0054d50a2a53e
SHA512

1078f55767a5476f83ee529ae552a68c5fb71ed54258f13350304d795ca7f1127431fd66b283b3f5cafc5283371c8f2f3f37ac5844578ae8270574913cb66c93
SSDEEP

3072:gkZ+RwPONXoRjDhIcp0fDlaGGx+cL26nAHeN2E:NZ+RwPONXoRjDhIcp0fDlavx+W26nAHc

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

BANK SWIFT.xls

Resource

win7-20230220-en

agenttesla collection keylogger spyware stealer trojan

windows7-x64

20 signatures

150 seconds

Behavioral task

behavioral2

Sample

BANK SWIFT.xls

Resource

win10v2004-20230220-en

windows10-2004-x64

8 signatures

150 seconds

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/

Targets

- Target
  
  BANK SWIFT.xls
- Size
  
  169KB
- MD5
  
  de538eed80d8fd3d08ca320457cc5fef
- SHA1
  
  3880dcaebb4805aa968c118ceabc351d18ed27df
- SHA256
  
  dc0b46a0add517f632937b605ff9d0820f8fefaf1e886c1ad3d0054d50a2a53e
- SHA512
  
  1078f55767a5476f83ee529ae552a68c5fb71ed54258f13350304d795ca7f1127431fd66b283b3f5cafc5283371c8f2f3f37ac5844578ae8270574913cb66c93
- SSDEEP
  
  3072:gkZ+RwPONXoRjDhIcp0fDlaGGx+cL26nAHeN2E:NZ+RwPONXoRjDhIcp0fDlavx+W26nAHc
Score

10^/10

agenttesla collection keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslacollectionkeyloggerspywarestealertrojan

behavioral2

© 2018-2025

Terms | Privacy