agenttesla | 2e927bdc3e5bd50e16ec9b7c94a48a9bd6baf129728b8171e2f14f452ca476f7 | Triage

Sharing

General

Target

2e927bdc3e5bd50e16ec9b7c94a48a9bd6baf129728b8171e2f14f452ca476f7
Size

876KB
Sample

240523-cgmkashg41
MD5

ef371eec27b49ddba4332cda7f5c3738
SHA1

6a7568498c09068e845c3341ea34d2ef8cb9eb15
SHA256

2e927bdc3e5bd50e16ec9b7c94a48a9bd6baf129728b8171e2f14f452ca476f7
SHA512

bd2d21126aafd328d3e48abd228cc0e1896b8a5e903ae3528f53bc3850f2c0e42262415978e0ac97395248fcb8a1627713956073544e2eae93c2b89a2f54814d
SSDEEP

12288:J7EhaAryXcd/C5gsunYMHag+30SypS41zBb9YfRcoIcvi7ZNeP71zjsxiY0LWxyi:XdMagsuV6lUL19+c0eWxz5Y0SxgUAq

Score

10^/10

agenttesla execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.nwac.com.ng
Port:
21
Username:
[email protected]
Password:
Foundation+111

Extracted

Credentials

Protocol: ftp
Host:
ftp.nwac.com.ng
Port:
21
Username:
[email protected]
Password:
Foundation+111

Targets

- Target
  
  2e927bdc3e5bd50e16ec9b7c94a48a9bd6baf129728b8171e2f14f452ca476f7
- Size
  
  876KB
- MD5
  
  ef371eec27b49ddba4332cda7f5c3738
- SHA1
  
  6a7568498c09068e845c3341ea34d2ef8cb9eb15
- SHA256
  
  2e927bdc3e5bd50e16ec9b7c94a48a9bd6baf129728b8171e2f14f452ca476f7
- SHA512
  
  bd2d21126aafd328d3e48abd228cc0e1896b8a5e903ae3528f53bc3850f2c0e42262415978e0ac97395248fcb8a1627713956073544e2eae93c2b89a2f54814d
- SSDEEP
  
  12288:J7EhaAryXcd/C5gsunYMHag+30SypS41zBb9YfRcoIcvi7ZNeP71zjsxiY0LWxyi:XdMagsuV6lUL19+c0eWxz5Y0SxgUAq
Score

10^/10

agenttesla execution keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scripting

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslaexecutionkeyloggerpersistencespywarestealertrojan

behavioral2

agentteslaexecutionkeyloggerpersistencespywarestealertrojan