agenttesla | 3c756278503cd67e4ca18fa2acbba31c308153b5801f24b222a42b4b3331c780 | Triage

Submit
Reports

Overview

overview

Static

static

1

TT Copy.xls

windows7-x64

TT Copy.xls

windows10-1703-x64

1

TT Copy.xls

windows10-2004-x64

1

Sharing

General

Target

TT Copy.xls
Size

381KB
Sample

231201-rc414sac84
MD5

26beb641321ce859d389a80ccd1416d9
SHA1

8a47f46ab9f3ed5fd132cd8f30ece15e6c47cf21
SHA256

3c756278503cd67e4ca18fa2acbba31c308153b5801f24b222a42b4b3331c780
SHA512

02c1f0b615d33f941d6a8a227fb9845bedbd01eee4a587368b95fb83bcf0ff16b4f9738aa7caaf65a9c7373bb9711e4f504bfc50a7dabf97b54fe1cf26239f5b
SSDEEP

6144:hn1m9kdb41yFtrP+9LFRLLckUXWnNFFtx/4pvbS3SF18XpzeHfOSWZJOOeRs5mOG:hOecoFt+LFRSWznxwdQBpKHfIeRKmOr6

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

TT Copy.xls

Resource

win7-20231023-en

agenttesla collection keylogger spyware stealer trojan

windows7-x64

23 signatures

150 seconds

Behavioral task

behavioral2

Sample

TT Copy.xls

Resource

win10-20231020-en

windows10-1703-x64

7 signatures

150 seconds

Behavioral task

behavioral3

Sample

TT Copy.xls

Resource

win10v2004-20231127-en

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.experthvac.ro
Port:
21
Username:
[email protected]
Password:
-8{jszMOY*Z8(~Za0#jyP%o7VoB.0)kk^)7_

Targets

- Target
  
  TT Copy.xls
- Size
  
  381KB
- MD5
  
  26beb641321ce859d389a80ccd1416d9
- SHA1
  
  8a47f46ab9f3ed5fd132cd8f30ece15e6c47cf21
- SHA256
  
  3c756278503cd67e4ca18fa2acbba31c308153b5801f24b222a42b4b3331c780
- SHA512
  
  02c1f0b615d33f941d6a8a227fb9845bedbd01eee4a587368b95fb83bcf0ff16b4f9738aa7caaf65a9c7373bb9711e4f504bfc50a7dabf97b54fe1cf26239f5b
- SSDEEP
  
  6144:hn1m9kdb41yFtrP+9LFRLLckUXWnNFFtx/4pvbS3SF18XpzeHfOSWZJOOeRs5mOG:hOecoFt+LFRSWznxwdQBpKHfIeRKmOr6
Score

10^/10

agenttesla collection keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Blocklisted process makes network request
- Downloads MZ/PE file
- Abuses OpenXML format to download file from external location
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslacollectionkeyloggerspywarestealertrojan

behavioral2

behavioral3

© 2018-2024

Terms | Privacy