agenttesla | 38ad73898e63618341258849243ad1ce0037e76cbe1bfcfabc40836618afc34d | Triage

Submit
Reports

Overview

overview

Static

static

1

38ad73898e...4d.rtf

windows7-x64

38ad73898e...4d.rtf

windows10-2004-x64

1

Sharing

General

Target

38ad73898e63618341258849243ad1ce0037e76cbe1bfcfabc40836618afc34d.rtf
Size

62KB
Sample

240315-ck1akaga57
MD5

961469a7faca9a00f79a19c317969956
SHA1

b303364caba3f3df9d0f51edc60a7fea724f005e
SHA256

38ad73898e63618341258849243ad1ce0037e76cbe1bfcfabc40836618afc34d
SHA512

9b99bdc81c104dd53abcf0ca33d44a37a1e59fbfd8ae0a2c6cb33b6d3f4f615c9a467b1aaf105f92765aa933b6ec97ae48c701fb9e87681bad4a0841aec69fe9
SSDEEP

1536:8It84m/S+rUplDYKvxPZwwQ0D+xiDvTBOCFkxvG6M:tt84q0pYSxPZjjXvTBOWkxvDM

Score

10^/10

agenttesla keylogger spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

38ad73898e63618341258849243ad1ce0037e76cbe1bfcfabc40836618afc34d.rtf

Resource

win7-20240221-en

agenttesla keylogger spyware stealer trojan

windows7-x64

23 signatures

150 seconds

Behavioral task

behavioral2

Sample

38ad73898e63618341258849243ad1ce0037e76cbe1bfcfabc40836618afc34d.rtf

Resource

win10v2004-20240226-en

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.elquijotebanquetes.com
Port:
21
Username:
[email protected]
Password:
q.15SE~j1@};

Targets

- Target
  
  38ad73898e63618341258849243ad1ce0037e76cbe1bfcfabc40836618afc34d.rtf
- Size
  
  62KB
- MD5
  
  961469a7faca9a00f79a19c317969956
- SHA1
  
  b303364caba3f3df9d0f51edc60a7fea724f005e
- SHA256
  
  38ad73898e63618341258849243ad1ce0037e76cbe1bfcfabc40836618afc34d
- SHA512
  
  9b99bdc81c104dd53abcf0ca33d44a37a1e59fbfd8ae0a2c6cb33b6d3f4f615c9a467b1aaf105f92765aa933b6ec97ae48c701fb9e87681bad4a0841aec69fe9
- SSDEEP
  
  1536:8It84m/S+rUplDYKvxPZwwQ0D+xiDvTBOCFkxvG6M:tt84q0pYSxPZjjXvTBOWkxvDM
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect packed .NET executables. Mostly AgentTeslaV4.
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
- Detects executables referencing Windows vault credential objects. Observed in infostealers
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- Detects executables referencing many file transfer clients. Observed in information stealers
- Blocklisted process makes network request
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslakeyloggerspywarestealertrojan

behavioral2

© 2018-2025

Terms | Privacy