agenttesla | 857fa69eb54e9cbab31c36e5b63d234d51cabdfec4e34f998b683b4653d39394 | Triage

Sharing

General

Target

92e2c98f8a1aa1222f4901933bddaa34.bin
Size

636KB
Sample

240328-cexx9ach2x
MD5

22b3e3e6f2adbcf7a64092e8bab4c1df
SHA1

974185ee1ab2b329ec06b39a523bd5be2abf6299
SHA256

857fa69eb54e9cbab31c36e5b63d234d51cabdfec4e34f998b683b4653d39394
SHA512

cb5aad945f9525abb0e66727834efac924dbf84c5c44e18a0c379de7a373c069253c0930b0f042b320609cda16408b6ae6a7e0ca7ff2190008d12ac5ffd8e600
SSDEEP

12288:SAMqtOG0BLHjdq2BJvxtheSe7yulITLweXHKUQQzIdgQx9:jh8LHjhJtQSnazBQkB9

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.ozgurmob.com
Port:
587
Username:
beko@ozgurmob.com
Password:
beko(1453)(3959)
Email To:
phinametics247@gmail.com

Extracted

Credentials

Protocol: smtp
Host:
mail.ozgurmob.com
Port:
587
Username:
beko@ozgurmob.com
Password:
beko(1453)(3959)

Targets

- Target
  
  3bcef269e37701fa26f27b3c759d1fddeeb96998e2f7aea05ea02acb15e53a3e.exe
- Size
  
  706KB
- MD5
  
  92e2c98f8a1aa1222f4901933bddaa34
- SHA1
  
  d3111c7e3d99e8863b985dc37c15184c2418568f
- SHA256
  
  3bcef269e37701fa26f27b3c759d1fddeeb96998e2f7aea05ea02acb15e53a3e
- SHA512
  
  24da674d5fcbec6e243971caa3eb4eb0703f6fccb9d3afb5d921d824b5681b0fe20d29bb6b8bf5c191131b697f90470244f54f5ef8f6b33b32c8dbe76f4e69ca
- SSDEEP
  
  12288:xCyaTqa5W2wna41Z/Hruq29kR6NhSPellpvz6sFncOXxDfxJfLFnKuq:IjTurae5ruP9E6WIF6sSOXVrDBq
Score

10^/10

agenttesla keylogger spyware stealer trojan persistence
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

agentteslakeyloggerspywarestealertrojan

behavioral2

agentteslakeyloggerpersistencespywarestealertrojan