agenttesla | f77a389fbc2335a548776f68c73746c077e4ee29532b14bb2906a422178604da | Triage

Submit
Reports

Overview

overview

Static

static

1

Quotation ...23.bat

windows7-x64

8

Quotation ...23.bat

windows10-2004-x64

Sharing

General

Target

3.zip
Size

991KB
Sample

230331-qtx4fsba71
MD5

5ced90e370f8c7214ba3caf5110849dc
SHA1

5e0359a18972c13f13c41b4fcfa40c27cb63ce54
SHA256

f77a389fbc2335a548776f68c73746c077e4ee29532b14bb2906a422178604da
SHA512

fd23347b813680585f3c10103f45383b66500cb619d9e7951c02b4f3e0bddadd6b4ea7e70b23ecce6cdc41c695aa1a0a6392a77f24885e76122560d0ce53da11
SSDEEP

24576:chIVGnseePJp3jr0A7bxRm9+e7P71q0YiQ+hRW9fe35gBAu:W+GnRe3jQSbxR/STw0YiQAmbAu

Score

10^/10

agenttesla microsoft evasion keylogger phishing spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

Quotation 911799 - EM092723.bat

Resource

win7-20230220-en

windows7-x64

8 signatures

150 seconds

Behavioral task

behavioral2

Sample

Quotation 911799 - EM092723.bat

Resource

win10v2004-20230221-en

agenttesla microsoft evasion keylogger phishing spyware stealer trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5663632223:AAG5KHZDs7KWoaqTYx3lSyFlOdfD9vGegQo/

Targets

- Target
  
  Quotation 911799 - EM092723.bat
- Size
  
  1.3MB
- MD5
  
  9f8f23997c4e07be88d8dbe835c8b6ed
- SHA1
  
  9f40b97b7e1605b05174a6547b9ff470511d5a1f
- SHA256
  
  a354101aa8c8db6f2b337ebc68571edd296d374ad8a99f79fd62d2c07321993e
- SHA512
  
  5c0660381331a47163f7cd4e1e87c156966dd8c068d852073429523d29e92c934f3de381a7bd8e6cf1efaf94b21864c91c620b850e93c2399ccef476d8228586
- SSDEEP
  
  24576:VXdQ7L0Et7plPQaneOkwJzHqOoLokXb184bQM9w5WpFapcq+14kEKaQ8wV9GtnR:KznmW1VH9w2S4QPGr
Score

10^/10

evasion agenttesla microsoft keylogger phishing spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Detected potential entity reuse from brand microsoft.
  phishing microsoft
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

agentteslamicrosoftevasionkeyloggerphishingspywarestealertrojan

© 2018-2024

Terms | Privacy