agenttesla

General

Target

d9002ae6089045126350070c7b0790b4eb478e9b764bfdae3ee61e2e62a0e277.bat
Size

2KB
Sample

240213-gbxkjafg71
MD5

380c9e85f6960add801843076c33ec3b
SHA1

53f4ebaa47e325b25feaf22211dcff9223dc2ccc
SHA256

d9002ae6089045126350070c7b0790b4eb478e9b764bfdae3ee61e2e62a0e277
SHA512

88e6a1f62735e5116041dfa23c0a3743f3f31b6372c4af698323e7eddd028eff7d10bb83b883bda6e3aa2171827efb661eacd7e7d7db4ca8891919b134986e35

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.knoow.net
Port:
587
Username:
[email protected]
Password:
americanboy21@

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.knoow.net
Port:
587
Username:
[email protected]
Password:
americanboy21@
Email To:
[email protected]

Targets

- Target
  
  d9002ae6089045126350070c7b0790b4eb478e9b764bfdae3ee61e2e62a0e277.bat
- Size
  
  2KB
- MD5
  
  380c9e85f6960add801843076c33ec3b
- SHA1
  
  53f4ebaa47e325b25feaf22211dcff9223dc2ccc
- SHA256
  
  d9002ae6089045126350070c7b0790b4eb478e9b764bfdae3ee61e2e62a0e277
- SHA512
  
  88e6a1f62735e5116041dfa23c0a3743f3f31b6372c4af698323e7eddd028eff7d10bb83b883bda6e3aa2171827efb661eacd7e7d7db4ca8891919b134986e35
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect packed .NET executables. Mostly AgentTeslaV4.
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects executables manipulated with Fody
- Detects executables packed with Costura DotNetGuard
- Detects executables referencing Windows vault credential objects. Observed in infostealers
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- Detects executables referencing many file transfer clients. Observed in information stealers
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Detect packed .NET executables. Mostly AgentTeslaV4.

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects executables manipulated with Fody

Detects executables packed with Costura DotNetGuard

Detects executables referencing Windows vault credential objects. Observed in infostealers

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Detects executables referencing many email and collaboration clients. Observed in information stealers

Detects executables referencing many file transfer clients. Observed in information stealers

Blocklisted process makes network request

Checks computer location settings

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2