agenttesla | 4b9015eb413a5c3900836fef95d16ff8b32e36a929851b42d037e79ddcf282b9 | Triage

Submit
Reports

Overview

overview

Static

static

1

Maersk Lin...18.rtf

windows7-x64

Maersk Lin...18.rtf

windows10-2004-x64

1

Sharing

General

Target

Maersk Line Bill of lading_invoice018.doc
Size

47KB
Sample

230420-lwanqaha52
MD5

f56b241fc782c9f48c07f4250fdc07ea
SHA1

0f6fdab4d9906867867c278a52bc249cd243f710
SHA256

4b9015eb413a5c3900836fef95d16ff8b32e36a929851b42d037e79ddcf282b9
SHA512

39305a76b20b462078a1e0f8e1996f3a6faa98f8f8b0f79a00bc29269077463d8e83c5cb9659a770539557329ff5857f9c0cfa39a4989f4145a15864a225ba01
SSDEEP

768:UFx0XaIsnPRIa4fwJMSiedKxniwNHm9h7Bbr6KKoyN/u5u1xd4/sXK:Uf0Xvx3EM+UxnJNHehFLvA/OyDaMK

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

Maersk Line Bill of lading_invoice018.rtf

Resource

win7-20230220-en

agenttesla collection keylogger spyware stealer trojan

windows7-x64

20 signatures

150 seconds

Behavioral task

behavioral2

Sample

Maersk Line Bill of lading_invoice018.rtf

Resource

win10v2004-20230221-en

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
qbkcioyfoxstxqax
Email To:
[email protected]

Targets

- Target
  
  Maersk Line Bill of lading_invoice018.doc
- Size
  
  47KB
- MD5
  
  f56b241fc782c9f48c07f4250fdc07ea
- SHA1
  
  0f6fdab4d9906867867c278a52bc249cd243f710
- SHA256
  
  4b9015eb413a5c3900836fef95d16ff8b32e36a929851b42d037e79ddcf282b9
- SHA512
  
  39305a76b20b462078a1e0f8e1996f3a6faa98f8f8b0f79a00bc29269077463d8e83c5cb9659a770539557329ff5857f9c0cfa39a4989f4145a15864a225ba01
- SSDEEP
  
  768:UFx0XaIsnPRIa4fwJMSiedKxniwNHm9h7Bbr6KKoyN/u5u1xd4/sXK:Uf0Xvx3EM+UxnJNHehFLvA/OyDaMK
Score

10^/10

agenttesla collection keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslacollectionkeyloggerspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy