agenttesla | a6dcc8e0c9af9d28865e6d64f6c2317c7970dd5e2706fcde33871c4d12329469 | Triage

Submit
Reports

Overview

overview

Static

static

1

a6dcc8e0c9...69.rtf

windows7-x64

a6dcc8e0c9...69.rtf

windows10-2004-x64

1

Sharing

Copy URL Twitter E-mail

General

Target

a6dcc8e0c9af9d28865e6d64f6c2317c7970dd5e2706fcde33871c4d12329469.rtf
Size

70KB
Sample

240312-dhrfbagd67
MD5

e959e69dfb1a7811bbe481bff160f3d4
SHA1

196b0cbc196dab44d19d8252e115a8045e919ea1
SHA256

a6dcc8e0c9af9d28865e6d64f6c2317c7970dd5e2706fcde33871c4d12329469
SHA512

e3c94647083f65fae550ab77ab07227bf034f10c62fa6f9341d2ceb8fd2df23ce26bec5ef4038efb1d248fd8d53cfa9fadee78e75a2bdb96f78520e5ddc8f6ee
SSDEEP

1536:AvxZvtkD43yXMA8gC9+EdS4jP107ZMtom:AvDtkEC4nJYeom

Score

10^/10

agenttesla keylogger spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

a6dcc8e0c9af9d28865e6d64f6c2317c7970dd5e2706fcde33871c4d12329469.rtf

Resource

win7-20240220-en

agenttesla keylogger spyware stealer trojan

windows7-x64

23 signatures

150 seconds

Behavioral task

behavioral2

Sample

a6dcc8e0c9af9d28865e6d64f6c2317c7970dd5e2706fcde33871c4d12329469.rtf

Resource

win10v2004-20240226-en

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.stingatoareincendii.ro
Port:
21
Username:
[email protected]
Password:
{_kiS5z*l0N.

Targets

- Target
  
  a6dcc8e0c9af9d28865e6d64f6c2317c7970dd5e2706fcde33871c4d12329469.rtf
- Size
  
  70KB
- MD5
  
  e959e69dfb1a7811bbe481bff160f3d4
- SHA1
  
  196b0cbc196dab44d19d8252e115a8045e919ea1
- SHA256
  
  a6dcc8e0c9af9d28865e6d64f6c2317c7970dd5e2706fcde33871c4d12329469
- SHA512
  
  e3c94647083f65fae550ab77ab07227bf034f10c62fa6f9341d2ceb8fd2df23ce26bec5ef4038efb1d248fd8d53cfa9fadee78e75a2bdb96f78520e5ddc8f6ee
- SSDEEP
  
  1536:AvxZvtkD43yXMA8gC9+EdS4jP107ZMtom:AvDtkEC4nJYeom
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect packed .NET executables. Mostly AgentTeslaV4.
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
- Detects executables referencing Windows vault credential objects. Observed in infostealers
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- Detects executables referencing many file transfer clients. Observed in information stealers
- Blocklisted process makes network request
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslakeyloggerspywarestealertrojan

behavioral2

© 2018-2025

Terms | Privacy