agenttesla

General

Target

ORDINE N°61 DATA 23-05-2024.iso
Size

65KB
Sample

240523-lvqzbacd9v
MD5

0d8f6caf211e28d1eb138915e5749c64
SHA1

9ec692b04ba1c49c29d7a3d3aacf1ad658fd38bb
SHA256

a95a24749926634be6d8ad223cc9c05fc42dc66261fe00e00deb4a357bc8e059
SHA512

fad024848234be462ae19e5497adb93c017cf0f0bec6fdcc2e1181646f5adc739df814a25aa1ecd388c4c694711de3222d4fe1c4f6837f53b8844052168e4d22
SSDEEP

96:5UlJjhvtpW0iVIW/M7jTZYr8wDehJQQ43VJ2KOwbo2fSjCu0GURfk:elJNlbCwX43TOwbo2yCnGURf

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.fusologistics.com
Port:
587
Username:
[email protected]
Password:
Temp4u2change
Email To:
[email protected]

Targets

- Target
  
  ORDINE N°61 DATA 23-05-2024.iso
- Size
  
  65KB
- MD5
  
  0d8f6caf211e28d1eb138915e5749c64
- SHA1
  
  9ec692b04ba1c49c29d7a3d3aacf1ad658fd38bb
- SHA256
  
  a95a24749926634be6d8ad223cc9c05fc42dc66261fe00e00deb4a357bc8e059
- SHA512
  
  fad024848234be462ae19e5497adb93c017cf0f0bec6fdcc2e1181646f5adc739df814a25aa1ecd388c4c694711de3222d4fe1c4f6837f53b8844052168e4d22
- SSDEEP
  
  96:5UlJjhvtpW0iVIW/M7jTZYr8wDehJQQ43VJ2KOwbo2fSjCu0GURfk:elJNlbCwX43TOwbo2yCnGURf
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Blocklisted process makes network request

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2