agenttesla | f872e441743cc9c85aa611b5060dd2d5b392adf20eae28ff57716a4a64dc96b5 | Triage

Sharing

General

Target

f872e441743cc9c85aa611b5060dd2d5b392adf20eae28ff57716a4a64dc96b5
Size

1.0MB
Sample

240521-bz4qvsed21
MD5

9b8544c46d581622f7d13513c90960d7
SHA1

ab8f26ade5e500fa6b0ad95cf526ef0d163bee04
SHA256

f872e441743cc9c85aa611b5060dd2d5b392adf20eae28ff57716a4a64dc96b5
SHA512

752b3de1874cac45dd3317fba21260638af77ae0d0d655a787178a798c8ffdaf221ea24963de213912ea6b102d782dc050fdbf54923d190bd5b9e8d1ec6e485d
SSDEEP

24576:MzsxWtb3BEvGdb3AQfGZ3TI53jWVeCMSpSpmax:M5ZBEed1Y3kqVeCMeTax

Score

10^/10

agenttesla execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.skitz.com.ng
Port:
21
Username:
[email protected]
Password:
Kosyano1@

Extracted

Credentials

Protocol: ftp
Host:
ftp.skitz.com.ng
Port:
21
Username:
[email protected]
Password:
Kosyano1@

Targets

- Target
  
  f872e441743cc9c85aa611b5060dd2d5b392adf20eae28ff57716a4a64dc96b5
- Size
  
  1.0MB
- MD5
  
  9b8544c46d581622f7d13513c90960d7
- SHA1
  
  ab8f26ade5e500fa6b0ad95cf526ef0d163bee04
- SHA256
  
  f872e441743cc9c85aa611b5060dd2d5b392adf20eae28ff57716a4a64dc96b5
- SHA512
  
  752b3de1874cac45dd3317fba21260638af77ae0d0d655a787178a798c8ffdaf221ea24963de213912ea6b102d782dc050fdbf54923d190bd5b9e8d1ec6e485d
- SSDEEP
  
  24576:MzsxWtb3BEvGdb3AQfGZ3TI53jWVeCMSpSpmax:M5ZBEed1Y3kqVeCMeTax
Score

10^/10

agenttesla execution keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scripting

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslaexecutionkeyloggerpersistencespywarestealertrojan

behavioral2

agentteslaexecutionkeyloggerpersistencespywarestealertrojan