agenttesla

General

Target

ANALYSE Nr. AR001-pdf.img
Size

1.2MB
Sample

230613-jtfqvafd99
MD5

9e2d4e1bb29c036814ffacf857731ad3
SHA1

61b4dc26785f41f9a64688db914fe21a560808fc
SHA256

9b9fd4e75521dbc8f66f3e137f43f844072a17c702bacd52719ad22bcb901ea3
SHA512

2cbacafb6bc509107c61913700c781b316a3f93d5bf12e99c61111cfa935ffaa316dbdfd2843d3a858cd861e2637fd4be5a72e3a6ca93302b5b7fae1b57f8ba7
SSDEEP

12288:w4dcTbsYoYZ4X8IvoL+9OzYoAG94gW2s:g+YlIvoLYQYoAfgW

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.vvspijkenisse.nl
Port:
21
Username:
[email protected]
Password:
playingboyz231

Targets

- Target
  
  ANALYSE_.EXE
- Size
  
  306KB
- MD5
  
  cdd187b140f787efa951fab18d274cfc
- SHA1
  
  04dd7b20c6ed955f23a745b18a6cf3ffdd1a6f94
- SHA256
  
  b3a1509f77da1f09f79e2d0d6b6c6938db01f8ec67fa6adcf992eeb5b6b8698a
- SHA512
  
  1248e398a051f9a5f4ded802a34e84a3fb57c17a83ff8973498dfc28b6497834b426ef80d4ac5873bb3ae063ca176c594de3276568745678269ac049fd8a5cea
- SSDEEP
  
  6144:ux4vyP05yb7EuugWVZ+oYZ4X8Ivo2K+9OzYoAG94FGiVU1xiZc0I/sO:Y4dcTbsYoYZ4X8IvoL+9OzYoAG94gW2f
Score

10^/10

agenttesla collection keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Checks QEMU agent file

Loads dropped DLL

Accesses Microsoft Outlook profiles

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2