agenttesla | 5bd0a264fcd48c39d57df7dffcc8809d51e677510ee5e6847a9338793c652b45 | Triage

Sharing

General

Target

5bd0a264fcd48c39d57df7dffcc8809d51e677510ee5e6847a9338793c652b45
Size

710KB
Sample

240327-cnw3badc5s
MD5

c0d3ac3b4937048d8216aedcd7b48a03
SHA1

dd67f9ee6e897bb05f3d679d858f1eb3f1390027
SHA256

5bd0a264fcd48c39d57df7dffcc8809d51e677510ee5e6847a9338793c652b45
SHA512

4bedeb4654525d70ec9c97bed1cad4c40a7891d20d204c3aea08e23c1e3946bca1bcbc3f73bf550281f4cd7f57eac037652366d4c976ba430116e0b6d6913e1e
SSDEEP

12288:Z+QvgLt3Zz9qVgXb4bPNro681jqkpM8LBVP1dMmQDCJD/OafKUX3ErBn0688:Z2zYeXkbFckMnPXQ+rjyUaBx

Score

10^/10

agenttesla evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6455833672:AAEFwznYRFbwog3UBqp13FPbH7YVb236SRI/

Targets

- Target
  
  5bd0a264fcd48c39d57df7dffcc8809d51e677510ee5e6847a9338793c652b45
- Size
  
  710KB
- MD5
  
  c0d3ac3b4937048d8216aedcd7b48a03
- SHA1
  
  dd67f9ee6e897bb05f3d679d858f1eb3f1390027
- SHA256
  
  5bd0a264fcd48c39d57df7dffcc8809d51e677510ee5e6847a9338793c652b45
- SHA512
  
  4bedeb4654525d70ec9c97bed1cad4c40a7891d20d204c3aea08e23c1e3946bca1bcbc3f73bf550281f4cd7f57eac037652366d4c976ba430116e0b6d6913e1e
- SSDEEP
  
  12288:Z+QvgLt3Zz9qVgXb4bPNro681jqkpM8LBVP1dMmQDCJD/OafKUX3ErBn0688:Z2zYeXkbFckMnPXQ+rjyUaBx
Score

10^/10

agenttesla evasion keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslaevasionkeyloggerpersistencespywarestealertrojan

behavioral2

agentteslaevasionkeyloggerpersistencespywarestealertrojan