agenttesla

General

Target

aa1cb2bbf2d4c6fcbd633536c3113dabebd9405543d6325f583a3e7d39d76b90.exe
Size

563KB
Sample

240409-cb62raah46
MD5

9e0163eaf2a07786bc822ac32d42588b
SHA1

8fae6007b41ef2474f1ae6cedca7da5b62d7dcba
SHA256

aa1cb2bbf2d4c6fcbd633536c3113dabebd9405543d6325f583a3e7d39d76b90
SHA512

3163d930c6b7445dc2fe214a8c80ab94ac6a0a8a07dd96104e8bb3d44017dd2e1cad9dbc00153db06bca118787add0522bc888e80d0dfc311a3a263bde11fa97
SSDEEP

12288:xYV6MorX7qzuC3QHO9FQVHPF51jgcMz3NMqX6kjRlQvXu99:GBXu9HGaVHM5VX3ovXub

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.cash4cars.nz
Port:
587
Username:
[email protected]
Password:
logs2024!
Email To:
[email protected]

Targets

- Target
  
  aa1cb2bbf2d4c6fcbd633536c3113dabebd9405543d6325f583a3e7d39d76b90.exe
- Size
  
  563KB
- MD5
  
  9e0163eaf2a07786bc822ac32d42588b
- SHA1
  
  8fae6007b41ef2474f1ae6cedca7da5b62d7dcba
- SHA256
  
  aa1cb2bbf2d4c6fcbd633536c3113dabebd9405543d6325f583a3e7d39d76b90
- SHA512
  
  3163d930c6b7445dc2fe214a8c80ab94ac6a0a8a07dd96104e8bb3d44017dd2e1cad9dbc00153db06bca118787add0522bc888e80d0dfc311a3a263bde11fa97
- SSDEEP
  
  12288:xYV6MorX7qzuC3QHO9FQVHPF51jgcMz3NMqX6kjRlQvXu99:GBXu9HGaVHM5VX3ovXub
Score

10^/10

agenttesla keylogger persistence spyware stealer trojan upx
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect packed .NET executables. Mostly AgentTeslaV4.
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
- Detects executables referencing Windows vault credential objects. Observed in infostealers
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- Detects executables referencing many file transfer clients. Observed in information stealers
- UPX dump on OEP (original entry point)
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect packed .NET executables. Mostly AgentTeslaV4.

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Detects executables referencing Windows vault credential objects. Observed in infostealers

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Detects executables referencing many email and collaboration clients. Observed in information stealers

Detects executables referencing many file transfer clients. Observed in information stealers

UPX dump on OEP (original entry point)

Drops startup file

Executes dropped EXE

Loads dropped DLL

UPX packed file

Adds Run key to start application

Looks up external IP address via web service

AutoIT Executable

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2