agenttesla

General

Target

57724fb6ed72763c87c56abab1acaf92.bin
Size

207KB
Sample

240516-c72rxaha82
MD5

367ad54ee8da4ea9811940a18db2117a
SHA1

cae8ba22006d193c3a39a3699bb414bc066570ef
SHA256

e065b159b6204e982f96d2633ee450f52ef2adcda327656545eeb3160b4233e3
SHA512

56d3247125154666359e23a59a38b3452b8c60a2584cbc28f0e7ede9e4055ffccdbd37a72c56c4c58207e1dfb0d4cc7fdcf00dbfc699fee582500b24a2e325a0
SSDEEP

6144:vG2icGbM/5QNcMyvV77PS9wrAyilSnBjnF2GeEqw0gr6ki53:7V5BRU9S3eEqw0gro53

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.bunturaja.co.id
Port:
587
Username:
[email protected]
Password:
!@#$%,.Jakarta
Email To:
[email protected]

Targets

- Target
  
  New Order n. 4533452041, date 14.05.2024.hta
- Size
  
  424KB
- MD5
  
  41bfa760446594a9ad5d9cb19b9f80ca
- SHA1
  
  02ee45b860e1488cb3570d460dbba1e6eae6a226
- SHA256
  
  041f367ef3d1d7391917341bb6da3089f2534751a6dc10a8de23cf5196ae6a2d
- SHA512
  
  edc7d012d7ba64dee5461e2bd95e072bbec38852ae8d3a449a707f74136d1c8693c359e8bfc6a53b54900897f646fb87a3d7ac2054ff672ed352f30fd1332c5e
- SSDEEP
  
  6144:7+4t1fXGwzkAitPzmeI9OQYypkHkSVdtxQ+5iYgbAL0WMhw19+z0yhtHn9eq/+41:7JJv0ayfOb64MRycngoavbN0vBrbRMn
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Blocklisted process makes network request

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2