agenttesla | 0b335bef9c38177d30cb697d164c19f7eba600e6308596a68d3ca65cdeae3276 | Triage

Sharing

General

Target

0b335bef9c38177d30cb697d164c19f7eba600e6308596a68d3ca65cdeae3276
Size

717KB
Sample

240523-cgnscshg5w
MD5

60ab0aeb4f61a56c90dfa34fb1deb019
SHA1

05930c899983d13253433297d48108aad9936934
SHA256

0b335bef9c38177d30cb697d164c19f7eba600e6308596a68d3ca65cdeae3276
SHA512

cff5575fa908e105e4292a43a0f2e5ed3fda8cc9568926c7b816cc98c4837c34ced792033e1676363fd520a5ee89203ac7984fa04551f5629a4160264fbabf75
SSDEEP

12288:W9h7EJIAr8t0dDM5M2un8MHaAQ30S4pc4vZltjkHHcoIcBi7tN6P7HXyRLi53bRo:+FTKcM2up6RSRvdCc00OrXkir6

Score

10^/10

agenttesla execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.nwac.com.ng
Port:
21
Username:
[email protected]
Password:
Foundation+111

Extracted

Credentials

Protocol: ftp
Host:
ftp.nwac.com.ng
Port:
21
Username:
[email protected]
Password:
Foundation+111

Targets

- Target
  
  PO 20567812_PDF Kumaran Industries PVT LTD iGST_eH2mYaM.exE
- Size
  
  876KB
- MD5
  
  ef371eec27b49ddba4332cda7f5c3738
- SHA1
  
  6a7568498c09068e845c3341ea34d2ef8cb9eb15
- SHA256
  
  2e927bdc3e5bd50e16ec9b7c94a48a9bd6baf129728b8171e2f14f452ca476f7
- SHA512
  
  bd2d21126aafd328d3e48abd228cc0e1896b8a5e903ae3528f53bc3850f2c0e42262415978e0ac97395248fcb8a1627713956073544e2eae93c2b89a2f54814d
- SSDEEP
  
  12288:J7EhaAryXcd/C5gsunYMHag+30SypS41zBb9YfRcoIcvi7ZNeP71zjsxiY0LWxyi:XdMagsuV6lUL19+c0eWxz5Y0SxgUAq
Score

10^/10

agenttesla execution keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scripting

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslaexecutionkeyloggerpersistencespywarestealertrojan

behavioral2

agentteslaexecutionkeyloggerpersistencespywarestealertrojan