agenttesla | 4253ad86765c8e4330ec5c36b119d4ddb790caed7c32bd8bf54ac28dc4812e41 | Triage

Sharing

General

Target

57d7bd758bf432050f65a0df7cc3b4b9.bin
Size

503KB
Sample

230924-bypkjsbe6z
MD5

81572abbe1c1d31a1f9d531937484244
SHA1

028722d148614e7b03dafa50c2070b5fb837eb3f
SHA256

4253ad86765c8e4330ec5c36b119d4ddb790caed7c32bd8bf54ac28dc4812e41
SHA512

f1db547cae0ea064f21e847a07ced964a7968483434bd36fb67dbf6ed8ef30ae6e2cffab0d705e800458b86ec7e36f5f42be94ab248432b016c8c0223a7be493
SSDEEP

12288:n3YAgzUUj6ewoWTjaNVv6ky5BgAnSQEyvvd4ytj4dmkiX1w8:n3JlUuewoWTjixJy5WqSSilE1w8

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.frontierfulfillment.com.my
Port:
587
Username:
[email protected]
Password:
5_8B6kjVm
Email To:
[email protected]

Targets

- Target
  
  Swift_copy.pdf.exe
- Size
  
  777KB
- MD5
  
  8a559554176d6e2cbb12389098eb6825
- SHA1
  
  be1bd0f78973e68fa32dc0c28f32ffdc20043538
- SHA256
  
  dadca1f5e784742f6e72c59228f1887dfd5c7977c28b1198164e146fdff84555
- SHA512
  
  bd18983a37bb1951305bcc17e49258aa1e9ed3374980738dc8ca8fe06496a97d1f67cc131dee2d9b7bc289bafca8049c65974c57ae22a27442f24c3e3452f5d3
- SSDEEP
  
  12288:difdMNs6iHUz0THMMS+Mvj9aktRdx0a867A8/13lW3a2tRmwkHOi2s9s5Wgvxwrd:4FMNsCUrstRdxm8/1I3a2OWfWZ
Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslacollectionkeyloggerpersistencespywarestealertrojan

behavioral2

agentteslacollectionkeyloggerpersistencespywarestealertrojan