agenttesla | 453a50aec0b029f077090b41b580119103542b9dae4db4331de2e766c9f5d0b1 | Triage

Submit
Reports

Overview

overview

Static

static

1

90971985 DRAFT.xlam

windows7-x64

90971985 DRAFT.xlam

windows10-2004-x64

1

Sharing

Copy URL Twitter E-mail

General

Target

90971985 DRAFT.xlam
Size

621KB
Sample

240223-ty711aeb5s
MD5

81060ff4c39e6955c1e4523c759e90fa
SHA1

d41c1eeb891774cce18ae03ab5d98a11d441c9c7
SHA256

453a50aec0b029f077090b41b580119103542b9dae4db4331de2e766c9f5d0b1
SHA512

68d92a9c9447801883eb0018723af590cb2ca315821a06c69c9d1198d399b539268e950c3a722f7159c61988d56f19513f2425cfa04e917505522e96ea726feb
SSDEEP

12288:cRnWgCo5hmw9XyDld51WX3Wf0RHqLyPIP4uKYyuAP41QcevU:AFuld5g2f0JQM+lKo4mXOU

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

90971985 DRAFT.xlam

Resource

win7-20240221-en

agenttesla collection keylogger spyware stealer trojan

windows7-x64

21 signatures

150 seconds

Behavioral task

behavioral2

Sample

90971985 DRAFT.xlam

Resource

win10v2004-20240221-en

windows10-2004-x64

7 signatures

150 seconds

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.awelleh3.top
Port:
587
Username:
[email protected]
Password:
QcR_(8@AdfHa
Email To:
[email protected]

Targets

- Target
  
  90971985 DRAFT.xlam
- Size
  
  621KB
- MD5
  
  81060ff4c39e6955c1e4523c759e90fa
- SHA1
  
  d41c1eeb891774cce18ae03ab5d98a11d441c9c7
- SHA256
  
  453a50aec0b029f077090b41b580119103542b9dae4db4331de2e766c9f5d0b1
- SHA512
  
  68d92a9c9447801883eb0018723af590cb2ca315821a06c69c9d1198d399b539268e950c3a722f7159c61988d56f19513f2425cfa04e917505522e96ea726feb
- SSDEEP
  
  12288:cRnWgCo5hmw9XyDld51WX3Wf0RHqLyPIP4uKYyuAP41QcevU:AFuld5g2f0JQM+lKo4mXOU
Score

10^/10

agenttesla collection keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslacollectionkeyloggerspywarestealertrojan

behavioral2

© 2018-2025

Terms | Privacy