agenttesla | 3df609331db8626a949cb01751586fb6d9774375a8d70dc6748f0e19fedcfbd8 | Triage

Submit
Reports

Overview

overview

Static

static

3

CREDIT NOTES.exe

windows7-x64

CREDIT NOTES.exe

windows10-2004-x64

Sharing

General

Target

3df609331db8626a949cb01751586fb6d9774375a8d70dc6748f0e19fedcfbd8.7z
Size

746KB
Sample

240427-bp6sgafh95
MD5

01789281aa1d14a7f9cd2ab482ebee6c
SHA1

6c0a30de6aab1d35f9a02cdd8012ee3f3500d444
SHA256

3df609331db8626a949cb01751586fb6d9774375a8d70dc6748f0e19fedcfbd8
SHA512

04cee2e1cc91e01dada55d915f304231911275b9eaf301c4df5ba533fb203b66831f68e4c3a8338f8e2e25519b71b416880d20f229aefe6f5e00296bd823603c
SSDEEP

12288:J/7Vv9Kr82gz8bGKSPPwlD+13RIi57whWA9HG9e5BKvAB06Zy8b5o5pVrVMpLV4:9JVKYNIlYRR5q7N35BKx6ZNFl4

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

CREDIT NOTES.exe

Resource

win7-20240215-en

agenttesla keylogger persistence spyware stealer trojan

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

CREDIT NOTES.exe

Resource

win10v2004-20240419-en

agenttesla keylogger persistence spyware stealer trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.unitechautomations.com
Port:
587
Username:
[email protected]
Password:
Unitech@123
Email To:
[email protected]

Targets

- Target
  
  CREDIT NOTES.exe
- Size
  
  949KB
- MD5
  
  a94578e1a694ba09dc9ed5dc7df60fcc
- SHA1
  
  8ea85a39e4e456e79db46abfe00f9be73c8e254e
- SHA256
  
  b06ef71a820a829fc010a3bc33b6c630282b94d831e25f972b7173f0783b76c9
- SHA512
  
  ab3277ca5e074100cc9323234ee257816261154bcd6da3b00c56a83b0f0923575649ec9c3272e5ac8da6bd4ae08f6757d7cd15147a15963d144b99be92a30565
- SSDEEP
  
  24576:8+17qWKvIj9RR5BGNn5BZj6ZNaJ312Zw471:t5AvIj9VB+j6naJl2iK1
Score

10^/10

agenttesla keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect packed .NET executables. Mostly AgentTeslaV4.
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects executables referencing Windows vault credential objects. Observed in infostealers
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- Detects executables referencing many file transfer clients. Observed in information stealers
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

agentteslakeyloggerpersistencespywarestealertrojan

behavioral2

agentteslakeyloggerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy