agenttesla | 25eb6eaa92b7ecfccf496d1259b64fa876f63ea1b0ac4e6b69694ad4d7ee56b3 | Triage

Sharing

General

Target

25eb6eaa92b7ecfccf496d1259b64fa876f63ea1b0ac4e6b69694ad4d7ee56b3
Size

605KB
Sample

231204-ve97pada4w
MD5

ac8c1188fced20f8ce34309f01fd75eb
SHA1

a9fe9981b60a0b31e7fb18439c800361a1b3a55a
SHA256

25eb6eaa92b7ecfccf496d1259b64fa876f63ea1b0ac4e6b69694ad4d7ee56b3
SHA512

e27089683a20a510a74ffcddcbd89b17d10a5ea95e10c388d7ac0c5cc4c8f360f966ffca4247b187cd898674c78957af2c7cddc221f11d2233becdeda6421297
SSDEEP

12288:3mkhV1nasMSW320DgSq1o3GM7ovVvNOyQDYITk/SZMrnrGIzd9:Pr7X0DgSqCGM7od1uzJZMrnrGSd9

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.huyhoangvn.vn
Port:
587
Username:
[email protected]
Password:
huyhoangqa123
Email To:
[email protected]

Targets

- Target
  
  order B001.exe
- Size
  
  627KB
- MD5
  
  37f6a0d60cd4f997011d801ccd5801f9
- SHA1
  
  1d3c69938399f622330b0ea0f44aa293518fc5c8
- SHA256
  
  cd3561858ad85a86217ecd30e1acc1937c2a2efba5f3fbc2422645fea169dd5f
- SHA512
  
  470be45e3923ff486827c6fb3eba54e4998851f7e76737c53260cc42a853a306ea68ce1834c3f10def524a3ade2881982c371bb7ebd47b291036f60f85eded34
- SSDEEP
  
  12288:f45+po2DsuSyr2GJgSqlirGC7ovRxJwyWDYITYRZL0VIAHn8LkYFQ5:e+pJoXGJgSq+GC7oJXyzHVZHn8e
Score

10^/10

agenttesla keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslakeyloggerpersistencespywarestealertrojan

behavioral2

agentteslakeyloggerpersistencespywarestealertrojan