agenttesla | 76b2ad6694d96a44a96db9fb25dac7da1ab70a174be812b78fcfe5dc048eba25 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

3

76b2ad6694...25.exe

windows7-x64

76b2ad6694...25.exe

windows10-2004-x64

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Brava/Deri...es.app

macos-10.15-amd64

1

Sharing

General

Target

76b2ad6694d96a44a96db9fb25dac7da1ab70a174be812b78fcfe5dc048eba25.exe
Size

780KB
Sample

240213-dd14ysda4w
MD5

13d388f4fe68a40f09346acb5aca5bbc
SHA1

d8941b604dcd378532fb4362f878e43c11cca491
SHA256

76b2ad6694d96a44a96db9fb25dac7da1ab70a174be812b78fcfe5dc048eba25
SHA512

40eb0639bd678bbcca68dc3b48b0b01b99450344d7a084a25589ee605c4bbc99bf448d62678a961baf345ad0f7cc8586a47a45d3767fe1d0eec4f236255f50d4
SSDEEP

12288:ebFQCaDC1E5HNyrjAHyKTB7wln9vi/9aV+jf3igDiOlymYSmPAQt1lsZC:eb4cnIyKdEe97fni+y+moAbGC

Score

10^/10

agenttesla keylogger macos persistence spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

76b2ad6694d96a44a96db9fb25dac7da1ab70a174be812b78fcfe5dc048eba25.exe

Resource

win7-20231215-en

agenttesla keylogger persistence spyware stealer trojan

windows7-x64

22 signatures

150 seconds

Behavioral task

behavioral2

Sample

76b2ad6694d96a44a96db9fb25dac7da1ab70a174be812b78fcfe5dc048eba25.exe

Resource

win10v2004-20231215-en

agenttesla keylogger persistence spyware stealer trojan

windows10-2004-x64

22 signatures

150 seconds

Behavioral task

behavioral3

Sample

$PLUGINSDIR/System.dll

Resource

win7-20231215-en

windows7-x64

2 signatures

150 seconds

Behavioral task

behavioral4

Sample

$PLUGINSDIR/System.dll

Resource

win10v2004-20231215-en

windows10-2004-x64

2 signatures

150 seconds

Behavioral task

behavioral5

Sample

Brava/Deriverendes.app

Resource

macos-20231201-en

macos-10.15-amd64

0 signatures

150 seconds

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.privateemail.com
Port:
587
Username:
[email protected]
Password:
12345asdfg@@@@@
Email To:
[email protected]

Targets

- Target
  
  76b2ad6694d96a44a96db9fb25dac7da1ab70a174be812b78fcfe5dc048eba25.exe
- Size
  
  780KB
- MD5
  
  13d388f4fe68a40f09346acb5aca5bbc
- SHA1
  
  d8941b604dcd378532fb4362f878e43c11cca491
- SHA256
  
  76b2ad6694d96a44a96db9fb25dac7da1ab70a174be812b78fcfe5dc048eba25
- SHA512
  
  40eb0639bd678bbcca68dc3b48b0b01b99450344d7a084a25589ee605c4bbc99bf448d62678a961baf345ad0f7cc8586a47a45d3767fe1d0eec4f236255f50d4
- SSDEEP
  
  12288:ebFQCaDC1E5HNyrjAHyKTB7wln9vi/9aV+jf3igDiOlymYSmPAQt1lsZC:eb4cnIyKdEe97fni+y+moAbGC
Score

10^/10

agenttesla keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect packed .NET executables. Mostly AgentTeslaV4.
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects executables referencing Windows vault credential objects. Observed in infostealers
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- Detects executables referencing many file transfer clients. Observed in information stealers
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  cff85c549d536f651d4fb8387f1976f2
- SHA1
  
  d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
- SHA256
  
  8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
- SHA512
  
  531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88
- SSDEEP
  
  192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
Score

3^/10
behavioral3 behavioral4
- Target
  
  Brava/Deriverendes.App
- Size
  
  208KB
- MD5
  
  dbf8a0843f87bc37591a188287517bbb
- SHA1
  
  ffdb4795d4e624b6644900b07186f49b58fb1888
- SHA256
  
  2f6eecf89dac2bb4dadc340b4a9c3f79e489aef63c6ac6bb949fdd8e2296dd9c
- SHA512
  
  a73b5a349a4a577670056e54eebbf637c2b59f3ac76cc6aa43f72862f0bbbf12312b0a920d95eda8df9acfb32ad0fd4af54b5587d48243edbcc9da3037781b21
- SSDEEP
  
  3072:pdYbg5EY/rXDjl1QjSHwKpAWcaKmMeKcfx7hgbKAtZ6F8rdEfbyUo5qtEGv:pdYZQXDbkoAWcLmMeKcwgF0ET5o5qtV
Score

1^/10
behavioral5

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslakeyloggerpersistencespywarestealertrojan

behavioral2

agentteslakeyloggerpersistencespywarestealertrojan

behavioral3

behavioral4

behavioral5

© 2018-2025

Terms | Privacy