agenttesla | d037a0f1a4ce8bd5b3ef41f8f1efbf445bba229cd61502d0f47e4078f7d64fb4 | Triage

Submit
Reports

Overview

overview

Static

static

1

d037a0f1a4...4.docx

windows7-x64

d037a0f1a4...4.docx

windows10-2004-x64

1

Sharing

General

Target

d037a0f1a4ce8bd5b3ef41f8f1efbf445bba229cd61502d0f47e4078f7d64fb4.doc
Size

16KB
Sample

231201-xtds5sfd26
MD5

c6d1103403667550402d92301a0dbe62
SHA1

106f1b0488f98debf7599f602278185ffebd7a11
SHA256

d037a0f1a4ce8bd5b3ef41f8f1efbf445bba229cd61502d0f47e4078f7d64fb4
SHA512

9094dcb1148347c39a240d033f5b78fc92ca072b21eb53c40954323d7e00a686b5ed145dac13ef51af5334f98bfc27913213ad250c697e31fae29abdda0fd96a
SSDEEP

384:ayXPNKVWWs8PL8wi4OEwH8TIbE91r2fRSJY5vim/Y1nz3:acP+55P3DOqnYJMMv//Y1nb

Score

10^/10

agenttesla keylogger spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

d037a0f1a4ce8bd5b3ef41f8f1efbf445bba229cd61502d0f47e4078f7d64fb4.docx

Resource

win7-20231020-en

agenttesla keylogger spyware stealer trojan

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

d037a0f1a4ce8bd5b3ef41f8f1efbf445bba229cd61502d0f47e4078f7d64fb4.docx

Resource

win10v2004-20231127-en

windows10-2004-x64

5 signatures

150 seconds

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.royalwealth.space
Port:
587
Username:
[email protected]
Password:
sQxM4AdAZ5kY7As
Email To:
[email protected]

Targets

- Target
  
  d037a0f1a4ce8bd5b3ef41f8f1efbf445bba229cd61502d0f47e4078f7d64fb4.doc
- Size
  
  16KB
- MD5
  
  c6d1103403667550402d92301a0dbe62
- SHA1
  
  106f1b0488f98debf7599f602278185ffebd7a11
- SHA256
  
  d037a0f1a4ce8bd5b3ef41f8f1efbf445bba229cd61502d0f47e4078f7d64fb4
- SHA512
  
  9094dcb1148347c39a240d033f5b78fc92ca072b21eb53c40954323d7e00a686b5ed145dac13ef51af5334f98bfc27913213ad250c697e31fae29abdda0fd96a
- SSDEEP
  
  384:ayXPNKVWWs8PL8wi4OEwH8TIbE91r2fRSJY5vim/Y1nz3:acP+55P3DOqnYJMMv//Y1nb
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Blocklisted process makes network request
- Downloads MZ/PE file
- Abuses OpenXML format to download file from external location
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslakeyloggerspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy