agenttesla

General

Target

0b2843566112d9b4a879e77416227bb7c46152c418385d4e608b7d7b687dd305.exe
Size

747KB
Sample

240328-cf36naae82
MD5

93da4f364deae0c5dccb3d9ab2e1c67a
SHA1

e65df8007dae4cddbb1119c7dcc0737328c760d7
SHA256

0b2843566112d9b4a879e77416227bb7c46152c418385d4e608b7d7b687dd305
SHA512

436a1a3fa33acb21ddc76d0191b204cf86a83ad587dfb9c97a0ae8d9e3bfa8602bc59162cbfdfdea57988151dcc386769d395fa81f3c7b87e55b9a8e650482b6
SSDEEP

12288:TkMayww0KgdH8+WXfJxsXqmUUwyFT9kgwyXROOTa85gijVdIaNv:zajSQC/0we5kwROOTa85PjrNN

Score

10^/10

Malware Config

Extracted

Family

agenttesla

C2

https://discordapp.com/api/webhooks/1209079326381703258/KMWScJ3_PST6cUhH_FpNX9xquPQydoTw5ra7lQhfDovLGBW7jR_Rk634D6j1s1IOLj61

Targets

- Target
  
  0b2843566112d9b4a879e77416227bb7c46152c418385d4e608b7d7b687dd305.exe
- Size
  
  747KB
- MD5
  
  93da4f364deae0c5dccb3d9ab2e1c67a
- SHA1
  
  e65df8007dae4cddbb1119c7dcc0737328c760d7
- SHA256
  
  0b2843566112d9b4a879e77416227bb7c46152c418385d4e608b7d7b687dd305
- SHA512
  
  436a1a3fa33acb21ddc76d0191b204cf86a83ad587dfb9c97a0ae8d9e3bfa8602bc59162cbfdfdea57988151dcc386769d395fa81f3c7b87e55b9a8e650482b6
- SSDEEP
  
  12288:TkMayww0KgdH8+WXfJxsXqmUUwyFT9kgwyXROOTa85gijVdIaNv:zajSQC/0we5kwROOTa85PjrNN
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect packed .NET executables. Mostly AgentTeslaV4.
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects executables packed with SmartAssembly
- Detects executables referencing Windows vault credential objects. Observed in infostealers
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- Detects executables referencing many file transfer clients. Observed in information stealers
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect packed .NET executables. Mostly AgentTeslaV4.

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects executables packed with SmartAssembly

Detects executables referencing Windows vault credential objects. Observed in infostealers

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Detects executables referencing many email and collaboration clients. Observed in information stealers

Detects executables referencing many file transfer clients. Observed in information stealers

Checks computer location settings

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2