agenttesla | 605e2bf9c188c72177da3dd80ae80d80fb2ae131705ebcdce9842342c0e3db50 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

drafted_custom form 1.pdf.exe
Size

626KB
Sample

230918-q78r4shf71
MD5

b87d148004eb139cda3a2030a1761c77
SHA1

a397ebbe8ff7f2b75f03eb36207c923ef21ee203
SHA256

605e2bf9c188c72177da3dd80ae80d80fb2ae131705ebcdce9842342c0e3db50
SHA512

70c3f518640e47ed2bd537a0308c50a020bae8ce589d4458d291c95769594574f7d4b2e1bfd0cb9c9d82c528cc544a1646f50b28a5307df4074727f70981eedb
SSDEEP

6144:hWc/OVS2eBzg0vOOQEv0ifCEeQhGqbWGOdI3LMRC2vxivwA1khBHRqL5SIF:hWABzNOH+eQ8YO+3L2tx6wAw68IF

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.frontierfulfillment.com.my
Port:
587
Username:
[email protected]
Password:
5_8B6kjVm
Email To:
[email protected]

Targets

- Target
  
  drafted_custom form 1.pdf.exe
- Size
  
  626KB
- MD5
  
  b87d148004eb139cda3a2030a1761c77
- SHA1
  
  a397ebbe8ff7f2b75f03eb36207c923ef21ee203
- SHA256
  
  605e2bf9c188c72177da3dd80ae80d80fb2ae131705ebcdce9842342c0e3db50
- SHA512
  
  70c3f518640e47ed2bd537a0308c50a020bae8ce589d4458d291c95769594574f7d4b2e1bfd0cb9c9d82c528cc544a1646f50b28a5307df4074727f70981eedb
- SSDEEP
  
  6144:hWc/OVS2eBzg0vOOQEv0ifCEeQhGqbWGOdI3LMRC2vxivwA1khBHRqL5SIF:hWABzNOH+eQ8YO+3L2tx6wAw68IF
Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslacollectionkeyloggerpersistencespywarestealertrojan

behavioral2

agentteslacollectionkeyloggerpersistencespywarestealertrojan