agenttesla | 3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe
Size

721KB
Sample

240514-trkbcsed84
MD5

35373ea173fb999636a21ad039ce4951
SHA1

d477aa5c029736ca08b927935c901c5f53d454ff
SHA256

3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286
SHA512

83c8ff6bbede26092b21be38caa110d640ad48130ac5e8f48f84f18ede855e81da43420d49efcc905ddc7e448cb8a2f4ea6d2390edd69a878a305fda9b73b834
SSDEEP

12288:mfTeH81jJUDu3+6fov6jk6Jl859MCzjDgC9h0LImZ1tzRI4aP/kR:38MDhyjk6J659M2j8tImVRii

Score

10^/10

agenttesla execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.azmaplast.com
Port:
587
Username:
[email protected]
Password:
QAZqaz123@@
Email To:
[email protected]

Targets

- Target
  
  3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe
- Size
  
  721KB
- MD5
  
  35373ea173fb999636a21ad039ce4951
- SHA1
  
  d477aa5c029736ca08b927935c901c5f53d454ff
- SHA256
  
  3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286
- SHA512
  
  83c8ff6bbede26092b21be38caa110d640ad48130ac5e8f48f84f18ede855e81da43420d49efcc905ddc7e448cb8a2f4ea6d2390edd69a878a305fda9b73b834
- SSDEEP
  
  12288:mfTeH81jJUDu3+6fov6jk6Jl859MCzjDgC9h0LImZ1tzRI4aP/kR:38MDhyjk6J659M2j8tImVRii
Score

10^/10

agenttesla execution keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslaexecutionkeyloggerpersistencespywarestealertrojan

behavioral2

agentteslaexecutionkeyloggerpersistencespywarestealertrojan