agenttesla

General

Target

03a23b591496c1e4e2541839975c67874ffb1ba515b1ebb13af225d668759989.ace
Size

19KB
Sample

240224-keqsyafc6z
MD5

571a0c88df4b124cb02a0107fc02896c
SHA1

a56b280e5b393ed878d79b27379378cccaedb818
SHA256

03a23b591496c1e4e2541839975c67874ffb1ba515b1ebb13af225d668759989
SHA512

447fcf0541338cf663b4d0d6c785bd6c794aa88dd96c44f557e5ef91d927572e6f8c6842539257fcce6b8909ef41738499254042232b0fc6f850c7be4edd76c8
SSDEEP

384:e3Q7Muu/XZhX5LCaCH7DTig2x7bthKngR+OBMQ3AWMAbQUkPb6DRl65AfR2eNUos:o1JDCaCX8hRsOBMQ3TwUkj6DRliAgozA

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.supplyvan.xyz
Port:
587
Username:
[email protected]
Password:
Ifeanyi1987@
Email To:
[email protected]

Targets

- Target
  
  QUOTATION REQUIRD.exe
- Size
  
  39KB
- MD5
  
  a08fc570175654538ef118d911b16436
- SHA1
  
  2712e7784d75d4746032e825eca8abc0a8306245
- SHA256
  
  013cfd5a41b2ad509d642e132c4eee49ed5a19418b7ff77523a9965a08afa008
- SHA512
  
  5b0aced9b7a7a1c82195b178a55351ba51ced19052e7fa1f837055e5c2b763d8ab00ff420206a65541cd6b9568d8baa954fe457b019402edf5921e6e3b39848d
- SSDEEP
  
  768:iRXnmQnpZJE8sNd9LnZVxSy9eg1W6T+v5q:QhnpZJEj39DNSy9rdCvU
Score

10^/10

agenttesla discovery keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Contacts a large (4670) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Detect packed .NET executables. Mostly AgentTeslaV4.
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
- Detects executables packed with or use KoiVM
- Detects executables referencing Windows vault credential objects. Observed in infostealers
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- Detects executables referencing many file transfer clients. Observed in information stealers
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Contacts a large (4670) amount of remote hosts

Detect packed .NET executables. Mostly AgentTeslaV4.

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Detects executables packed with or use KoiVM

Detects executables referencing Windows vault credential objects. Observed in infostealers

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Detects executables referencing many email and collaboration clients. Observed in information stealers

Detects executables referencing many file transfer clients. Observed in information stealers

Creates a large amount of network flows

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2