agenttesla

General

Target

240219-dsgc4aha8w_pw_infected.zip
Size

9.6MB
Sample

240521-19x4hacc2t
MD5

94383650d3f84765d1bb592fc4fe43f4
SHA1

eb53c3e4b66ff46b253ad04d02d367dcdd5445df
SHA256

3339684c5ea9d82228af499585907e9eab5a99ecaf9fda63518fa112ba394527
SHA512

75525736a528a2e733873e74fb9330bc72084162bfdc5db79bc4f5d80b6d00ee629163f2bcd4219d79a6eaf1560e7df79f0c56593fff74ffb6fb7354e3a17881
SSDEEP

196608:4TCgVjt/t+zdHIrBlaKfZcPxhe7EBCMjocOxtlO+QLAdc:6VjNYz8tm5C8kxL36

Score

10^/10

Malware Config

Targets

- Target
  
  WZAgent.exe
- Size
  
  9.4MB
- MD5
  
  86137e9ed8313472f22f6e523d8ad219
- SHA1
  
  49e66323a9ad23e49569edfb0f4ca2d3c67ef61b
- SHA256
  
  e25599248cbab0ee17db46769aefac345098d9a066192f89c0072a38c726f50a
- SHA512
  
  f06d574d3a5040303ef9a246a73163675169f8e5086835279a376ab14442f3f38afe70ea31fc68357845e28e3872e94e9b8f67694a3b6fc288d5b85d7d2975d6
- SSDEEP
  
  196608:/ntsxE5JupJ6XmXIY3AmEXxeA32ngfgZ5Kv+yWGqL+aewN8L:/nts+Upam4OAmEXn4Z5C+RLN
Score

10^/10

agenttesla agilenet evasion keylogger spyware stealer themida trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla payload
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

AgentTesla payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Themida packer

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2