agenttesla | 096a3baa4ba3d03b673524a281f63fa16e15a7880e5174a8679db9193eb48a75 | Triage

Sharing

General

Target

PO #1131011152-2024-Order,pdf.exe
Size

28KB
Sample

240221-qpjp9sge27
MD5

9e9bbdca2a035d2e5503d1c180fc5695
SHA1

f0a89a2568f653a5a66f71640a26da2f3553acce
SHA256

096a3baa4ba3d03b673524a281f63fa16e15a7880e5174a8679db9193eb48a75
SHA512

9ed9b1c9bc6e6ba2b61afc4faf35a3d75d258456d14ef03b06d269ec3895267c5e2703a9f4f9dbcbc29ff3cbcee0d3734a946b3281912afb27586dcff2505d68
SSDEEP

384:AndtRcWJiFCzBQYD84eaFs9whv1gNVwPdFQH4P4A/QO6zK8NTc81HVu+zPZ/9Dwv:QAFEBQYA5XK6ezQH28lpVfzP5dwv

Score

10^/10

agenttesla discovery keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.ionos.com
Port:
587
Username:
[email protected]
Password:
S@fetyServicesGr0up

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.ionos.com
Port:
587
Username:
[email protected]
Password:
S@fetyServicesGr0up
Email To:
[email protected]

Targets

- Target
  
  PO #1131011152-2024-Order,pdf.exe
- Size
  
  28KB
- MD5
  
  9e9bbdca2a035d2e5503d1c180fc5695
- SHA1
  
  f0a89a2568f653a5a66f71640a26da2f3553acce
- SHA256
  
  096a3baa4ba3d03b673524a281f63fa16e15a7880e5174a8679db9193eb48a75
- SHA512
  
  9ed9b1c9bc6e6ba2b61afc4faf35a3d75d258456d14ef03b06d269ec3895267c5e2703a9f4f9dbcbc29ff3cbcee0d3734a946b3281912afb27586dcff2505d68
- SSDEEP
  
  384:AndtRcWJiFCzBQYD84eaFs9whv1gNVwPdFQH4P4A/QO6zK8NTc81HVu+zPZ/9Dwv:QAFEBQYA5XK6ezQH28lpVfzP5dwv
Score

10^/10

agenttesla discovery keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Contacts a large (4217) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

agenttesladiscoverykeyloggerspywarestealertrojan