agenttesla

General

Target

MONSTERMCProtector.zip
Size

2.9MB
Sample

231202-r27hjade3y
MD5

e8a8b0cab9eb9a710fd7895ff764cc99
SHA1

39bc39ee525a3e4c3d18fd5fb07cb15463fbc701
SHA256

98c8e17db7c4e1f5cac1d3f8487e984802bb436a52620667d0c2ff602a6b1789
SHA512

d7f14f6c57bb93748fff6f6f028955a20423cc184deb8e3427b79a3262944c7f26a0d4cfe626d16be1fddc53f104ce16610baf4cd72eb7224619248299dd55e2
SSDEEP

49152:6btLYS4beqTlCIuvYiV5G+NxFczKZZsy6nqvJD5tlQLmd:6bRYS4CqTxYYiVk+NxFjZsylhDVjd

Score

10^/10

Malware Config

Targets

- Target
  
  MONSTERMCProtector.zip
- Size
  
  2.9MB
- MD5
  
  e8a8b0cab9eb9a710fd7895ff764cc99
- SHA1
  
  39bc39ee525a3e4c3d18fd5fb07cb15463fbc701
- SHA256
  
  98c8e17db7c4e1f5cac1d3f8487e984802bb436a52620667d0c2ff602a6b1789
- SHA512
  
  d7f14f6c57bb93748fff6f6f028955a20423cc184deb8e3427b79a3262944c7f26a0d4cfe626d16be1fddc53f104ce16610baf4cd72eb7224619248299dd55e2
- SSDEEP
  
  49152:6btLYS4beqTlCIuvYiV5G+NxFczKZZsy6nqvJD5tlQLmd:6bRYS4CqTxYYiVk+NxFjZsylhDVjd
Score

10^/10

agenttesla agilenet evasion keylogger spyware stealer themida trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla payload
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2 behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

3

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Virtualization/Sandbox Evasion

3

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

AgentTesla payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Looks for VMWare Tools registry key

Checks BIOS information in registry

Executes dropped EXE

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Themida packer

Checks whether UAC is enabled

Maps connected drives based on registry

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4