agenttesla | 9d997d5d1348d22f92c8544347864d33aedcddd546ed99762046d40153153508 | Triage

Sharing

General

Target

91a4e682ebc54e8fd63edf2d6622b216.bin
Size

665KB
Sample

240327-dk2n3aec71
MD5

62257f25825fb5ff6d366ff8f3d29823
SHA1

0cb33b6c414c365e766145116145d3a4ace5d79c
SHA256

9d997d5d1348d22f92c8544347864d33aedcddd546ed99762046d40153153508
SHA512

f14d1bcba7852f595fc2d877fac2091da720d18b08f0551a881264b81193fa21aab1bf0bfee4f4c1e4c1b3f061ef63dabb23f311f7cdf9f9e41605fbc50e01a6
SSDEEP

12288:W+jqFq8Rsj0dRh3s/04D2JRsg1ivZ1qCIGJatDUW2RK7J679TurtoVrmDWkyza3:W++q8RsQdjqNDdeix1lI4cD679TurtbV

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.ozgurmob.com
Port:
587
Username:
[email protected]
Password:
beko(1453)(3959)
Email To:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
mail.ozgurmob.com
Port:
587
Username:
[email protected]
Password:
beko(1453)(3959)

Targets

- Target
  
  a87e27a64d0e52356582fb694d7466f79118ae9f2efd15884eb772fda468774b.exe
- Size
  
  712KB
- MD5
  
  91a4e682ebc54e8fd63edf2d6622b216
- SHA1
  
  8e69dfb01beccbb6dd7b6b3a3cd58cd750c823ec
- SHA256
  
  a87e27a64d0e52356582fb694d7466f79118ae9f2efd15884eb772fda468774b
- SHA512
  
  fbe33dd9c2727b1da3635be3442e5beee8ff0ceba29ba5a76d2b329576b4c960c1899c38de88a4e497e4e90f855f652b92307772a3d4581e9c2dfaca1efdc18f
- SSDEEP
  
  12288:s4CMwRX2hu6MiFBGT/t05fUulNpGMg1VaFVvNw8GlJ2KpmjFGH8A:3ai6t051/pBxKpW
Score

10^/10

agenttesla keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

agentteslakeyloggerpersistencespywarestealertrojan

behavioral2

agentteslakeyloggerpersistencespywarestealertrojan