agenttesla | 6e87e1c7ffeeb2ff4badfb5a7eff18a8d55de2ff5efef6ab1ec4820048214318 | Triage

Submit
Reports

Overview

overview

Static

static

1

3M KESİC�...23.exe

windows7-x64

3M KESİC�...23.exe

windows10-2004-x64

Sharing

General

Target

3M KESİCİ TAKIM MÜH FİYAT İSTEĞİ820272023.exe
Size

1.4MB
Sample

230330-jj8zmsda81
MD5

004fa1dc876651dfd0496d1618aaee85
SHA1

8e3eb714851e87d9c11529a2404fe26a5f2c43c4
SHA256

6e87e1c7ffeeb2ff4badfb5a7eff18a8d55de2ff5efef6ab1ec4820048214318
SHA512

720d5e44fb7cd238e6f597c21fe340aeed9c88008644d7ad3c25d93cc138b2e52375e29e450b559c205da755fff967c86e69f86d100b211bf671481f7860901e
SSDEEP

24576:xwiEM3bSghVC7G7bwXCrRLq0PqE2qpbh4lz1WQqp2pA19CA9+:6cb1hV/8X9E2qBh4x1WQAl8

Score

10^/10

agenttesla collection evasion keylogger persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

3M KESİCİ TAKIM MÜH FİYAT İSTEĞİ820272023.exe

Resource

win7-20230220-en

agenttesla collection evasion keylogger persistence spyware stealer trojan

windows7-x64

22 signatures

150 seconds

Behavioral task

behavioral2

Sample

3M KESİCİ TAKIM MÜH FİYAT İSTEĞİ820272023.exe

Resource

win10v2004-20230220-en

agenttesla collection evasion keylogger persistence spyware stealer trojan

windows10-2004-x64

23 signatures

150 seconds

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5409839916:AAEYUYZy0IhJQAm4VXi620si4okGW8FDL2w/

Targets

- Target
  
  3M KESİCİ TAKIM MÜH FİYAT İSTEĞİ820272023.exe
- Size
  
  1.4MB
- MD5
  
  004fa1dc876651dfd0496d1618aaee85
- SHA1
  
  8e3eb714851e87d9c11529a2404fe26a5f2c43c4
- SHA256
  
  6e87e1c7ffeeb2ff4badfb5a7eff18a8d55de2ff5efef6ab1ec4820048214318
- SHA512
  
  720d5e44fb7cd238e6f597c21fe340aeed9c88008644d7ad3c25d93cc138b2e52375e29e450b559c205da755fff967c86e69f86d100b211bf671481f7860901e
- SSDEEP
  
  24576:xwiEM3bSghVC7G7bwXCrRLq0PqE2qpbh4lz1WQqp2pA19CA9+:6cb1hV/8X9E2qBh4x1WQAl8
Score

10^/10

agenttesla collection evasion keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Sets service image path in registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Scripting

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslacollectionevasionkeyloggerpersistencespywarestealertrojan

behavioral2

agentteslacollectionevasionkeyloggerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy