agenttesla | bd1d2e0fc5a13b960fc305b05497e9c0d6e31137ed831a0d7523cea5cdaa50d3 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

1

solicitud ...9#.xls

windows7-x64

solicitud ...9#.xls

windows10-2004-x64

1

Sharing

General

Target

solicitud de cotizaci�n909#.xla
Size

374KB
Sample

240223-nj2b1sfc5y
MD5

fa3267601e7ae603efa62bae7e8e5ab5
SHA1

5d16d6cf76984e6f228aa737ade7a0194e19dcb1
SHA256

bd1d2e0fc5a13b960fc305b05497e9c0d6e31137ed831a0d7523cea5cdaa50d3
SHA512

8f3f9c2453f3a8e2c94d2a4cf7cf5619c9ecdb669c4543a7ebdc5b88ccc5e84819ce31608ce4bef29369cbb3dfb94a995c36dba4a48fea47c0cef8bf543adfb6
SSDEEP

6144:PC5zvCp4sJgtouzdDHBMixiMK6G+ZFrTgT1WWnJaFBxe+PREJqE2QxxGl74:PC5bCfgtomdjpozwjT2kWcPc+PEqEj

Score

10^/10

agenttesla keylogger spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

solicitud de cotizaci�n909#.xls

Resource

win7-20240221-en

agenttesla keylogger spyware stealer trojan

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

solicitud de cotizaci�n909#.xls

Resource

win10v2004-20240221-en

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.elquijotebanquetes.com
Port:
21
Username:
[email protected]
Password:
4r@d15PS!-!h

Targets

- Target
  
  solicitud de cotizaci�n909#.xla
- Size
  
  374KB
- MD5
  
  fa3267601e7ae603efa62bae7e8e5ab5
- SHA1
  
  5d16d6cf76984e6f228aa737ade7a0194e19dcb1
- SHA256
  
  bd1d2e0fc5a13b960fc305b05497e9c0d6e31137ed831a0d7523cea5cdaa50d3
- SHA512
  
  8f3f9c2453f3a8e2c94d2a4cf7cf5619c9ecdb669c4543a7ebdc5b88ccc5e84819ce31608ce4bef29369cbb3dfb94a995c36dba4a48fea47c0cef8bf543adfb6
- SSDEEP
  
  6144:PC5zvCp4sJgtouzdDHBMixiMK6G+ZFrTgT1WWnJaFBxe+PREJqE2QxxGl74:PC5bCfgtomdjpozwjT2kWcPc+PEqEj
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Blocklisted process makes network request
- Abuses OpenXML format to download file from external location
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslakeyloggerspywarestealertrojan

behavioral2

© 2018-2025

Terms | Privacy