agenttesla | 02b7361eeb75b842d6b7ade09f042879d501e50bc07a8d4edcfc04b7d728b0e7 | Triage

Sharing

General

Target

Zapytanie ofertowe (7427-23 ROCKFIN).vbs
Size

7KB
Sample

240424-fdzbgafa94
MD5

3a6ac16d9bc107b14e4caa9b7ad08756
SHA1

d6c6f6d4843ef83e2c4e3344060aca80b032eb43
SHA256

02b7361eeb75b842d6b7ade09f042879d501e50bc07a8d4edcfc04b7d728b0e7
SHA512

e0003c51e42c3ac764c6114692b1ee155c424e046cd3ba6f3a151bfb58eaccbc347f1cc0e9d3f0c90a6e350047056c38f79926fc716cab84b735533d64dd41ba
SSDEEP

96:+AwU3ey01WrZ9NnWh04lLchxcxaBKXaxcKicGeOuBhsempL92U9xsSwFABSCpu4P:+nWeRsrZXHOgpc3TfsjAQHBUBD

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.cash4cars.nz
Port:
587
Username:
[email protected]
Password:
logs2024!
Email To:
[email protected]

Targets

- Target
  
  Zapytanie ofertowe (7427-23 ROCKFIN).vbs
- Size
  
  7KB
- MD5
  
  3a6ac16d9bc107b14e4caa9b7ad08756
- SHA1
  
  d6c6f6d4843ef83e2c4e3344060aca80b032eb43
- SHA256
  
  02b7361eeb75b842d6b7ade09f042879d501e50bc07a8d4edcfc04b7d728b0e7
- SHA512
  
  e0003c51e42c3ac764c6114692b1ee155c424e046cd3ba6f3a151bfb58eaccbc347f1cc0e9d3f0c90a6e350047056c38f79926fc716cab84b735533d64dd41ba
- SSDEEP
  
  96:+AwU3ey01WrZ9NnWh04lLchxcxaBKXaxcKicGeOuBhsempL92U9xsSwFABSCpu4P:+nWeRsrZXHOgpc3TfsjAQHBUBD
Score

10^/10

agenttesla keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslakeyloggerpersistencespywarestealertrojan

behavioral2