agenttesla | 145ac60ec975bb0a649e3b056fba500a2877dad80ee5453c947413c7d5218caa | Triage

Submit
Reports

Overview

overview

Static

static

1

AWB DHL 72...df.exe

windows7-x64

AWB DHL 72...df.exe

windows10-2004-x64

Sharing

General

Target

AWB DHL 7214306201 Shipment_pdf.exe
Size

485KB
Sample

230328-wbqjjscc86
MD5

aecb508586356ab8ea6bf6ce6cc964f4
SHA1

a9b192e515b1b4d396d8c6cb00565dd71af3ed4a
SHA256

145ac60ec975bb0a649e3b056fba500a2877dad80ee5453c947413c7d5218caa
SHA512

6513d11154d048eacca468ace53e6eca9a01a84116ff56f1d3b44cfc0644ac48f17e36c8a4c8baa8eb2a7d2c353fb6acb05c969c1d69598ef566090a38f8640a
SSDEEP

12288:sK3FTyoJ43erqBTIDkh0eTR46bTXEYCkjX2w4vU1upOQAW:UsaBBTRh04RJELkjXAcAs/W

Score

10^/10

agenttesla collection evasion keylogger persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

AWB DHL 7214306201 Shipment_pdf.exe

Resource

win7-20230220-en

agenttesla collection evasion keylogger persistence spyware stealer trojan

windows7-x64

20 signatures

150 seconds

Behavioral task

behavioral2

Sample

AWB DHL 7214306201 Shipment_pdf.exe

Resource

win10v2004-20230220-en

agenttesla collection evasion keylogger persistence spyware stealer trojan

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5409839916:AAEYUYZy0IhJQAm4VXi620si4okGW8FDL2w/

Targets

- Target
  
  AWB DHL 7214306201 Shipment_pdf.exe
- Size
  
  485KB
- MD5
  
  aecb508586356ab8ea6bf6ce6cc964f4
- SHA1
  
  a9b192e515b1b4d396d8c6cb00565dd71af3ed4a
- SHA256
  
  145ac60ec975bb0a649e3b056fba500a2877dad80ee5453c947413c7d5218caa
- SHA512
  
  6513d11154d048eacca468ace53e6eca9a01a84116ff56f1d3b44cfc0644ac48f17e36c8a4c8baa8eb2a7d2c353fb6acb05c969c1d69598ef566090a38f8640a
- SSDEEP
  
  12288:sK3FTyoJ43erqBTIDkh0eTR46bTXEYCkjX2w4vU1upOQAW:UsaBBTRh04RJELkjXAcAs/W
Score

10^/10

agenttesla collection evasion keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

agentteslacollectionevasionkeyloggerpersistencespywarestealertrojan

behavioral2

agentteslacollectionevasionkeyloggerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy