agenttesla | 17c6dbd1c5b8e74f918919b871216da29238498712f81b85642c905bc127f112 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

1

citat-05022024.xls

windows7-x64

citat-05022024.xls

windows10-2004-x64

1

Sharing

General

Target

citat-05022024.xla
Size

239KB
Sample

240502-mq9fjafa9w
MD5

0ad05016cab776ee9fca8d6e0c81adb4
SHA1

e3b264d0dc7b739adc067b0cdbd92576e9fe1405
SHA256

17c6dbd1c5b8e74f918919b871216da29238498712f81b85642c905bc127f112
SHA512

f9df6b90d66fd93c0ef292967fac9d315ed441925256289b748287d045dbc914e03385141744fec76063d5d56582f18f74f304e31aeafd43f27445aa98efe03e
SSDEEP

6144:id4UcLe0JOqPQZR8MDdATCR3tSv0W8DNy/tgG794Yhk:lUP/qPQZR8MxAm/S8W8B/G794Gk

Score

10^/10

agenttesla execution keylogger spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

citat-05022024.xls

Resource

win7-20240221-en

agenttesla execution keylogger spyware stealer trojan

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

citat-05022024.xls

Resource

win10v2004-20240419-en

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.folder.ro
Port:
21
Username:
[email protected]
Password:
R2r76%(3v^H0

Targets

- Target
  
  citat-05022024.xla
- Size
  
  239KB
- MD5
  
  0ad05016cab776ee9fca8d6e0c81adb4
- SHA1
  
  e3b264d0dc7b739adc067b0cdbd92576e9fe1405
- SHA256
  
  17c6dbd1c5b8e74f918919b871216da29238498712f81b85642c905bc127f112
- SHA512
  
  f9df6b90d66fd93c0ef292967fac9d315ed441925256289b748287d045dbc914e03385141744fec76063d5d56582f18f74f304e31aeafd43f27445aa98efe03e
- SSDEEP
  
  6144:id4UcLe0JOqPQZR8MDdATCR3tSv0W8DNy/tgG794Yhk:lUP/qPQZR8MxAm/S8W8B/G794Gk
Score

10^/10

agenttesla execution keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Abuses OpenXML format to download file from external location
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslaexecutionkeyloggerspywarestealertrojan

behavioral2

© 2018-2025

Terms | Privacy