agenttesla

Sharing

Copy URL

Twitter E-mail

General

Target

3852e3e3d446bb7feb8ca29573f2967360624e5a1bb0910dbb3a3e5dd686a948
Size

329KB
Sample

231121-cfczgacb6z
MD5

f97cbb53cf6542b40cfcb00a9d953eb3
SHA1

bce286027a9f1c531e55cb40e1819d6ad7c6733e
SHA256

3852e3e3d446bb7feb8ca29573f2967360624e5a1bb0910dbb3a3e5dd686a948
SHA512

c7d34911d0321f3586870b90d675013ff2fbce998967e529b1b9ada4b13a24157546c681a7e2238d98007773988517283923d3c3d8e37832c8b9aa48adfa99ac
SSDEEP

6144:0mCom4M/3IrohXBruKFNkrk8eN399bE58UDMrlxuXXhT2r:0Cnarqo8eNIDuDu1c

Score

10^/10

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot6492548685:AAFSsnUD0WBiVAaUi2pEpecDU82loa1C6EU/

Targets

- Target
  
  3852e3e3d446bb7feb8ca29573f2967360624e5a1bb0910dbb3a3e5dd686a948
- Size
  
  329KB
- MD5
  
  f97cbb53cf6542b40cfcb00a9d953eb3
- SHA1
  
  bce286027a9f1c531e55cb40e1819d6ad7c6733e
- SHA256
  
  3852e3e3d446bb7feb8ca29573f2967360624e5a1bb0910dbb3a3e5dd686a948
- SHA512
  
  c7d34911d0321f3586870b90d675013ff2fbce998967e529b1b9ada4b13a24157546c681a7e2238d98007773988517283923d3c3d8e37832c8b9aa48adfa99ac
- SSDEEP
  
  6144:0mCom4M/3IrohXBruKFNkrk8eN399bE58UDMrlxuXXhT2r:0Cnarqo8eNIDuDu1c
Score

1^/10
behavioral1 behavioral2
- Target
  
  1.js
- Size
  
  23KB
- MD5
  
  0fec59fc91143d58dfe0f0f14d4e5f08
- SHA1
  
  76de24642195a5b6a14281fdbc457bc614916eba
- SHA256
  
  94d7bd6201394056c5732fdf0064a2217edd83816f5805ff91b5db0b8f52f7a3
- SHA512
  
  2278800a84137d9027ca95225ed7fd6cd06b34c7939464583cfd64e22db0217958b87d0584020fa38d0db3fbb33434b978b56e63651df716ac99580eac0f52be
- SSDEEP
  
  384:Fuv8G5Esgus0/0tW2KPM3Ce5/F7C4sEgGz38dOQIOlkDxDM/5xAUZvqIRyi:gvVUusQrcCe5/F7C4sEzzMMQDlkdQ/7j
Score

10^/10

vjw0rm persistence trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral3 behavioral4
- Target
  
  2.vbs
- Size
  
  63KB
- MD5
  
  d7f4238ff5acac175beb585a26c9cef2
- SHA1
  
  d451e565ec848d6fb1e5562c2a50ab4fb06d6a4f
- SHA256
  
  816a6f59d836acb9545db79aa246be0be62f43e330c5c93796b1fe2455eab504
- SHA512
  
  57bc54e5f52d6d7e780930ba82f5b0f8d72a6cd8ea580430dea73ffe37dec93f1a9ccec70f01d4ced88bc2dac4fcf6e9d920d47708a098f78b119b2eb79c4628
- SSDEEP
  
  768:efTBMY0EFQXNaY7jwox9F40IZZKlWD7v/IJRxQzPho+Qz0eNgzTMTH6cmJ:e24Yf/xn40IZZGWDsxKPgzuTMecmJ
Score

10^/10

agenttesla keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  3.vbs
- Size
  
  241KB
- MD5
  
  24f7db07213c00b85854d513b3a8061a
- SHA1
  
  566085ff56c9c111a58e0f2a61fcdaaf49426143
- SHA256
  
  1c8ba53a0df3d48bd031a348f36b5d75ac78db8d94987a3368a9c49429b47222
- SHA512
  
  2efefddb776099f698b32d7fd5c41ee644cbc4e0994f849b3f8ecafed674344ce7396212e778d2fc62f17b5343787555ed52b76af6361fe4736d712be90b3a8e
- SSDEEP
  
  6144:BBruKFNkrk8eN399bE58UDMrlxuXXhT2K:Brqo8eNIDuDu1N
Score

10^/10

agenttesla keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral7 behavioral8

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Vjw0rm

Blocklisted process makes network request

Checks computer location settings

Drops startup file

Adds Run key to start application

Blocklisted process makes network request

Checks computer location settings

Adds Run key to start application

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

AgentTesla

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8