agenttesla | da75778d7ebfe9d20f3f4e0d39691afbbf0aab526d509dae99010c92381c042a | Triage

Sharing

Copy URL Twitter E-mail

General

Target

HFQ098654567808.exe
Size

560KB
Sample

231103-kq1ghsha29
MD5

35b36d0ea52a8a62c6f029b3f0bf0935
SHA1

7c277fef0d5d26676662943368cdf4de5758d439
SHA256

da75778d7ebfe9d20f3f4e0d39691afbbf0aab526d509dae99010c92381c042a
SHA512

6be6ad9580ada3faa5c7f32f29e60338fc0696567223aba05f862881022ce23bcd22a6d4debe543dead6be7bd590fcd73a692aa3719ef2c99cfbcde7991eb6da
SSDEEP

12288:koWA468sXQx8+92WM+RtCurnVf99v8haK4+:z3useZ9RtVrV918T

Score

10^/10

agenttesla evasion keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.daipro.com.mx
Port:
587
Username:
[email protected]
Password:
Daipro123*%

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.daipro.com.mx
Port:
587
Username:
[email protected]
Password:
Daipro123*%
Email To:
[email protected]

Targets

- Target
  
  HFQ098654567808.exe
- Size
  
  560KB
- MD5
  
  35b36d0ea52a8a62c6f029b3f0bf0935
- SHA1
  
  7c277fef0d5d26676662943368cdf4de5758d439
- SHA256
  
  da75778d7ebfe9d20f3f4e0d39691afbbf0aab526d509dae99010c92381c042a
- SHA512
  
  6be6ad9580ada3faa5c7f32f29e60338fc0696567223aba05f862881022ce23bcd22a6d4debe543dead6be7bd590fcd73a692aa3719ef2c99cfbcde7991eb6da
- SSDEEP
  
  12288:koWA468sXQx8+92WM+RtCurnVf99v8haK4+:z3useZ9RtVrV918T
Score

10^/10

agenttesla evasion keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Windows security modification
  evasion trojan
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslaevasionkeyloggerspywarestealertrojan

behavioral2

agentteslaevasionkeyloggerspywarestealertrojan