agenttesla | 40acbda6947bc0e99b0d5cc93a5d1a58529a7469563e328a2ca54344f08b9b75 | Triage

Submit
Reports

Overview

overview

Static

static

1

PURCHASE O...DF.bat

windows7-x64

8

PURCHASE O...DF.bat

windows10-2004-x64

Sharing

General

Target

PURCHASE ORDER LIST GREEN VALLY CORP PDF.bat
Size

7KB
Sample

240425-lxxvmshf2z
MD5

6c70e7a8891c5f33997d79d37e79aa37
SHA1

2078349aa37c31d0f378e302d797845a25603961
SHA256

40acbda6947bc0e99b0d5cc93a5d1a58529a7469563e328a2ca54344f08b9b75
SHA512

e2ef87750ec9b3683ffc4b13e4e954e4e20d8fdcf79d704ee6a54ee3a2375ad9bfb1557bb6a0dde0d295af7d78d1bcc398606466c49250e2e566f433a5ba01b2
SSDEEP

192:61a/J9MX21bdLSgMulLVo7l+isVXmG5ZWZI:6YJGugJ+ilG5J

Score

10^/10

agenttesla keylogger spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

PURCHASE ORDER LIST GREEN VALLY CORP PDF.bat

Resource

win7-20240221-en

windows7-x64

7 signatures

150 seconds

Behavioral task

behavioral2

Sample

PURCHASE ORDER LIST GREEN VALLY CORP PDF.bat

Resource

win10v2004-20240226-en

agenttesla keylogger spyware stealer trojan

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.controlfire.com.mx
Port:
587
Username:
craztor@controlfire.com.mx
Password:
+DI9CNZM&Y%W
Email To:
craztorreport@controlfire.com.mx

Targets

- Target
  
  PURCHASE ORDER LIST GREEN VALLY CORP PDF.bat
- Size
  
  7KB
- MD5
  
  6c70e7a8891c5f33997d79d37e79aa37
- SHA1
  
  2078349aa37c31d0f378e302d797845a25603961
- SHA256
  
  40acbda6947bc0e99b0d5cc93a5d1a58529a7469563e328a2ca54344f08b9b75
- SHA512
  
  e2ef87750ec9b3683ffc4b13e4e954e4e20d8fdcf79d704ee6a54ee3a2375ad9bfb1557bb6a0dde0d295af7d78d1bcc398606466c49250e2e566f433a5ba01b2
- SSDEEP
  
  192:61a/J9MX21bdLSgMulLVo7l+isVXmG5ZWZI:6YJGugJ+ilG5J
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Blocklisted process makes network request
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2

agentteslakeyloggerspywarestealertrojan

© 2018-2024

Terms | Privacy