agenttesla

General

Target

22052024_1232_22052024_doc023571961500.img
Size

1.2MB
Sample

240522-pq159sbe32
MD5

5106302075eb2553360c72dec5793e20
SHA1

1d3e0b35ce69e3c3123f494a2febe3edc738ad21
SHA256

7ac91c1b8806a9ebc40b12497bd928973f009280a13b2515f9e293657e62b118
SHA512

2d3ff5b0b2f4f3cbe503a425cc3baaa2f5cb5b79bfad721865aaba67d5e120745f3e39e27f0b8047647f278c5cd68ee716268954fb2eb0b14101e227e4ae4153
SSDEEP

12288:nuoS1Rnqm/L+toFP3ke8cfDynok2l19jjk9CTe13:uT1Rqm/kol3Kn619k

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
sslout.de
Port:
587
Username:
[email protected]
Password:
dataset123
Email To:
[email protected]

Targets

- Target
  
  doc023571961500.bat
- Size
  
  708KB
- MD5
  
  1fdc4210c29446f1358360b7df89eb3e
- SHA1
  
  feabe794bd8654ceaa0d2a2588b252fed6cae378
- SHA256
  
  8ef4d6591309fbe5f7998a82ea2db9db9c502293abf51fe37e37d860b2977d7c
- SHA512
  
  4f30ad8c74e270d7cc88f3de29fd9a2530a378b07cd5efce7867e19e007472f89da0b6a1fcc97871f4b3e16d65513369b6c34f6e4144983afcebfe35965e337a
- SSDEEP
  
  12288:QuoS1Rnqm/L+toFP3ke8cfDynok2l19jjk9CTe13c:HT1Rqm/kol3Kn619k+
Score

10^/10

execution agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Command and Scripting Interpreter: PowerShell

Looks up external IP address via web service

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2