agenttesla | fd4ea8972da528ad2c6bd24eef9fbf84af68c254a73ec9a7c2d9e96955e4813c | Triage

Sharing

General

Target

Doc1000050789xlsx.7z
Size

2.2MB
Sample

240522-q62bmsdf63
MD5

cda4d1fadb3779224bed26fcfe3fa596
SHA1

4b2ac3b2dbd32a5d93cf66b8d9bcd9737f6a3b5a
SHA256

fd4ea8972da528ad2c6bd24eef9fbf84af68c254a73ec9a7c2d9e96955e4813c
SHA512

730d1897af0c24e54485459ce22cdd39ea581464e4be98625d96e2e0f97c0b46298d494803323927a47880ebb9c7b0cf3c28afeffbc3613e63e69f6f82b90e07
SSDEEP

49152:KJ1I2l/BHmQOc0+jOf/vqEPjIOqOU+9Oa9it6xgmBB4Rorj:KXI2hBb0+j4/X8z+4a9it6xRSorj

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
66.29.151.236
Port:
587
Username:
[email protected]
Password:
YuWsikfV67lD
Email To:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
66.29.151.236
Port:
587
Username:
[email protected]
Password:
YuWsikfV67lD

Targets

- Target
  
  Doc1000050789.exe
- Size
  
  2.3MB
- MD5
  
  93865833b3053530f78b1383f9209814
- SHA1
  
  a79c8913e2dfb460e44b8d2e6a50d7fd92ea6612
- SHA256
  
  09d3784d1f2f53fa0f4f30ea6a707acf92def296e10b25d3a42625db5823bfaa
- SHA512
  
  4d46193d703504886e3e10276be867a31c92e922b3e2e461c85fbd573f54819756388d51c090d6c39d16c097b0785ad740405ca4f3309fc72b03ca4480e1c1e0
- SSDEEP
  
  49152:2/VZrC9C/srB/8CO253KJf+vqioQIEh6U+Y70e1tBgT1ETeRxn5aa:2/z6CEJZ953K1+f+M+m0e1tBg2mxn8a
Score

10^/10

agenttesla keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Credentials in Registry

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslakeyloggerpersistencespywarestealertrojan

behavioral2

agentteslakeyloggerpersistencespywarestealertrojan