agenttesla | 5a24cf78cb6054ef0f93726c02aeb7c0d0b2e772b69fb1a9907b6ba8ef8f952e | Triage

Sharing

General

Target

5a24cf78cb6054ef0f93726c02aeb7c0d0b2e772b69fb1a9907b6ba8ef8f952e_NeikiAnalytics
Size

1.1MB
Sample

240521-q71rhagd3y
MD5

2c4576ca7c0f8abeb6647ca51cd19b2c
SHA1

cac2fdb51c878e8dec6e0f392281a3562ea9ecc0
SHA256

5a24cf78cb6054ef0f93726c02aeb7c0d0b2e772b69fb1a9907b6ba8ef8f952e
SHA512

998472adbb49895a2ee41b3f868b9c61b45bbcb3609296f234ff50fe391098e1c8f9e04c5cd5a14575ea268e229b3ffa8c73949fae4ac541bd7b614a83d6bb45
SSDEEP

24576:6lMAYTFQBeU31HTh/OZHCeTcILzp6Od7b:6lMlTKsi1/OZMIM63

Score

10^/10

agenttesla evasion execution keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot7062542161:AAGTRYaovexgStrKeV0wI1K5scR6qGG6-3k/

Targets

- Target
  
  5a24cf78cb6054ef0f93726c02aeb7c0d0b2e772b69fb1a9907b6ba8ef8f952e_NeikiAnalytics
- Size
  
  1.1MB
- MD5
  
  2c4576ca7c0f8abeb6647ca51cd19b2c
- SHA1
  
  cac2fdb51c878e8dec6e0f392281a3562ea9ecc0
- SHA256
  
  5a24cf78cb6054ef0f93726c02aeb7c0d0b2e772b69fb1a9907b6ba8ef8f952e
- SHA512
  
  998472adbb49895a2ee41b3f868b9c61b45bbcb3609296f234ff50fe391098e1c8f9e04c5cd5a14575ea268e229b3ffa8c73949fae4ac541bd7b614a83d6bb45
- SSDEEP
  
  24576:6lMAYTFQBeU31HTh/OZHCeTcILzp6Od7b:6lMlTKsi1/OZMIM63
Score

10^/10

execution agenttesla evasion keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

agentteslaevasionexecutionkeyloggerspywarestealertrojan