agenttesla | 9b93715fe216f728c472181dd81d1729de6dd3fcd52e6ecdc7c32b5a2210d849 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

5801_00fc37b52b2aec6ec238e9b895c8c4131392597b6c1dc75fd7bcf75f7f936a37.zip
Size

867KB
Sample

231120-rs8n8shd4y
MD5

30d9b2b99399c60b57a3793d32957809
SHA1

61163151cd95b1f967e17cb33d5164c313c718b2
SHA256

9b93715fe216f728c472181dd81d1729de6dd3fcd52e6ecdc7c32b5a2210d849
SHA512

fd73979e0ecde01a024928e2cbc0ca6dd2eac0b71c2ae5af06e3fb59416fb29726802f65f87198312de75e2c79b040c164204ae0149069f00400e6d8d306eeec
SSDEEP

24576:Sr8FD85Gtlv+MzZU45AKipQTZLYX5+/pWPrq0Oz0X3/i:KOkg5xU45AKipQFa5+f0pPi

Score

10^/10

agenttesla evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.amtechcards.com
Port:
587
Username:
[email protected]
Password:
puuAt8;(Y$NU
Email To:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
mail.amtechcards.com
Port:
587
Username:
[email protected]
Password:
puuAt8;(Y$NU

Targets

- Target
  
  00fc37b52b2aec6ec238e9b895c8c4131392597b6c1dc75fd7bcf75f7f936a37
- Size
  
  1.3MB
- MD5
  
  9af598c4f0bc134064630a616ba1d6e4
- SHA1
  
  dda98eb1584d4586bd9d8c37256010d21e589d64
- SHA256
  
  00fc37b52b2aec6ec238e9b895c8c4131392597b6c1dc75fd7bcf75f7f936a37
- SHA512
  
  ae8c26a882fa28f974f8dceb76d39b979b95f676137f8b1727dc96a7af25312b2cf03e4cdfdbc46ebc54b84b67bca5cf370fd943c32b7eeea2221328ed132088
- SSDEEP
  
  24576:eWpPO48WQ+NFvq/JHe214jb7Hks0+60KiEKZ9/0VtK:RWYHe4b/0+6od/aK
Score

10^/10

agenttesla evasion keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslaevasionkeyloggerpersistencespywarestealertrojan

behavioral2

agentteslaevasionkeyloggerpersistencespywarestealertrojan