agenttesla

General

Target

15052024_0221_14052024_New Order n. 4533452041, date 14.05.2024.gz
Size

207KB
Sample

240515-ctg6cacf8z
MD5

57724fb6ed72763c87c56abab1acaf92
SHA1

88532456cfe7c9b56b6c42e6b5785474982c9c77
SHA256

9bba23b11607a89cbef317abd360a78460f5b3da5de7f4e66067f3af2a270551
SHA512

44b9f937de2d7d8c48cb5be399811e900c9a6c433339faa2bc46cc600c5f2d8190b544f94a9b595d890bd110b3721a94d5e4de1477c5f1103715ab102070e32b
SSDEEP

6144:qIwiTPucipzzrnRdm0Ld5DAXUIp4Jpt6cczwsILUmG6:qYapnrnRdm0LLilGDwcLsIQo

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.bunturaja.co.id
Port:
587
Username:
[email protected]
Password:
!@#$%,.Jakarta
Email To:
[email protected]

Targets

- Target
  
  New Order n. 4533452041, date 14.05.2024.hta
- Size
  
  424KB
- MD5
  
  41bfa760446594a9ad5d9cb19b9f80ca
- SHA1
  
  02ee45b860e1488cb3570d460dbba1e6eae6a226
- SHA256
  
  041f367ef3d1d7391917341bb6da3089f2534751a6dc10a8de23cf5196ae6a2d
- SHA512
  
  edc7d012d7ba64dee5461e2bd95e072bbec38852ae8d3a449a707f74136d1c8693c359e8bfc6a53b54900897f646fb87a3d7ac2054ff672ed352f30fd1332c5e
- SSDEEP
  
  6144:7+4t1fXGwzkAitPzmeI9OQYypkHkSVdtxQ+5iYgbAL0WMhw19+z0yhtHn9eq/+41:7JJv0ayfOb64MRycngoavbN0vBrbRMn
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Blocklisted process makes network request

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2