agenttesla

General

Target

Ref227395588 Fw Notice for shipment with DHL - HWB 2592541501.msg
Size

612KB
Sample

240430-ag7jcseh91
MD5

7d1f4f679b1ae4aa5730ed01ce9f76ac
SHA1

9e35dbf0535f30bc6a347e89e7e02e954a165607
SHA256

7f007341834ce7397c65046af35d6b9c54e36627308e0caef0ca61183a973480
SHA512

15024f1fb17f9ee1909dde663f321bfa963f28d2e396e837c92efa0ad99df65973ff7d7d501f7e033430115bbb8e13d2b673cedd5711824c17bbccab429688b7
SSDEEP

6144:IbK/6/4VhjZ6ySmRH93qXyS8KevIl/8/vpwO4XMGdKf4xU0PrH7KjnvQWTk85Kqm:EXySuRbpGv64vPrHmnkb+NHYqXZ4fa

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
gator3220.hostgator.com
Port:
587
Username:
[email protected]
Password:
28#75@ts76#V1F8h
Email To:
[email protected]

Targets

- Target
  
  Arrival Notice_CIA_AWB_INV_Form_pdf.IMG
- Size
  
  562KB
- MD5
  
  0f3c6f0d2eccbcdc76e847ea0f62f15e
- SHA1
  
  4baf2036c231dc9a0fba13e6d7d551b27b5b4194
- SHA256
  
  49a656f7ee544b5f21726a0f0f5469bd7a15aaa4615b53c4b0dac92b4aea308b
- SHA512
  
  a3efe41ce4ae7bd4689fe41c6e1cdb41f8cb4227eae4695a961c00d3305562d59e5bc25f4221c230052a478a505ed6118f95bb09468ffc3dd282be3e849aa1f5
- SSDEEP
  
  6144:2Z6ySmRH93qXyS8KevIl/8/vpwO4XMGdKf4xU0PrH7KjnvQWTk85KqZIMHYJqE4E:ZySuRbpGv64vPrHmnkb+NHYqXZ4fa
Score

3^/10
behavioral1 behavioral2
- Target
  
  Ref227395588_pdf.scr
- Size
  
  505KB
- MD5
  
  88db09b12a478cac87ed465252c6c8f7
- SHA1
  
  0e3acd2b568bd58fcfd2e914eff2c982deb55258
- SHA256
  
  0f0b721073a35fe3e6b37d75582704acd5bdc1b3d71343e74d6fec59ac932deb
- SHA512
  
  7d228d662e3271920094e345d36597c2e6c880d12fc3cef8c3f1206711a0b49f93d2275b5527d8ce88c1e3772d0b011161d1bd16688cb9db28471a75b949ab67
- SSDEEP
  
  6144:+Z6ySmRH93qXyS8KevIl/8/vpwO4XMGdKf4xU0PrH7KjnvQWTk85KqZIMHYJqE4E:RySuRbpGv64vPrHmnkb+NHYqXZ4fa
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4