agenttesla | 658e2f44c6e3a6af989069dc2fc82337c326fe751e037161e1c780c9bc639c4c | Triage

Sharing

General

Target

658e2f44c6e3a6af989069dc2fc82337c326fe751e037161e1c780c9bc639c4c
Size

763KB
Sample

240522-cwlljshd39
MD5

7dfb952c184cd0e1d8ad2df971a83986
SHA1

a3d2cf69513c7d7ddd020eb11ad40c5ee790fd28
SHA256

658e2f44c6e3a6af989069dc2fc82337c326fe751e037161e1c780c9bc639c4c
SHA512

be9a46365483bdb02751fa4237e08685b3184b23d93f99b039a3f66a0496feeeb8a83ba2cf37a25fda7ca701d44f36f1fd834893be1fdd55d966d360d35ca77c
SSDEEP

12288:yz+I6yWn7fcpVZlu/6uH30nEZ+ym9ENATN9O/P8xGkFp+DjwT8rHDFXVz4X6YG1y:/I698VVY30nEB09YEGkx47hlznI

Score

10^/10

agenttesla execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.springandsummer.lk
Port:
587
Username:
[email protected]
Password:
anu##323
Email To:
[email protected]

Targets

- Target
  
  658e2f44c6e3a6af989069dc2fc82337c326fe751e037161e1c780c9bc639c4c
- Size
  
  763KB
- MD5
  
  7dfb952c184cd0e1d8ad2df971a83986
- SHA1
  
  a3d2cf69513c7d7ddd020eb11ad40c5ee790fd28
- SHA256
  
  658e2f44c6e3a6af989069dc2fc82337c326fe751e037161e1c780c9bc639c4c
- SHA512
  
  be9a46365483bdb02751fa4237e08685b3184b23d93f99b039a3f66a0496feeeb8a83ba2cf37a25fda7ca701d44f36f1fd834893be1fdd55d966d360d35ca77c
- SSDEEP
  
  12288:yz+I6yWn7fcpVZlu/6uH30nEZ+ym9ENATN9O/P8xGkFp+DjwT8rHDFXVz4X6YG1y:/I698VVY30nEB09YEGkx47hlznI
Score

10^/10

agenttesla execution keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslaexecutionkeyloggerpersistencespywarestealertrojan

behavioral2

agentteslaexecutionkeyloggerpersistencespywarestealertrojan