agenttesla | 9baf54a3f9d9c51cb893ef328bd391b76f2779e8a7bebd1c49ab2f1c5705a69c | Triage

Sharing

Copy URL Twitter E-mail

General

Target

22042024_2007_22042024_Texas_Tool_Purchase_Order#T18834-1.rar
Size

5KB
Sample

240422-pad1ssba66
MD5

1d5067a7ce7c0a8654343b2532951523
SHA1

8baebe5d4322f85e6e3e0f24289b889aa8fb3438
SHA256

9baf54a3f9d9c51cb893ef328bd391b76f2779e8a7bebd1c49ab2f1c5705a69c
SHA512

4bdd994534b8a7bf0a3d93ffadffce6c654236a2de4813cc9bf1a4b3ad92e3d948635ab92703d13cf6d9f4894fef80a0d0d577c17fd520526ab43a825f1e71fa
SSDEEP

96:1VkJ9CMaznGzn1jQXEXtR++LBmZfMFo2mIOlcMYsJog/qxGH304gegjbbB+Iti06:LM4CFQ4NmZoo2mIOlTYsJ4xIEjeup+Eo

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.privateemail.com
Port:
587
Username:
[email protected]
Password:
Newyear2023

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.privateemail.com
Port:
587
Username:
[email protected]
Password:
Newyear2023
Email To:
[email protected]

Targets

- Target
  
  Texas_Tool_Purchase_Order#T18834-1.vbs
- Size
  
  8KB
- MD5
  
  85bb05a80334099ded83e21dd686c567
- SHA1
  
  308f10b6208abf4a9c92736c80b6dcb01ca332d2
- SHA256
  
  46d29ed35c7ca72d44d99f3d12603cd11435b6388bf61cd9988e7d375ddbb7b5
- SHA512
  
  b70ebc02b5bd572762514c6fc51c667a60f2430ddf0715f6424286f15402c5deea08a45c5df6ca1deee391d13c71da115cdc30907e63b8caee6913de151031a7
- SSDEEP
  
  192:jhNB4p8EjRXbRKclRi7uhzT9hNEIjgXmHpApCmJGPD86UfxbiX6j6OD1p:jmp8WRXbRKci7ux9wIjixpCKGb86U5bV
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslakeyloggerspywarestealertrojan

behavioral2