agenttesla | d43caa8513d5c833150caaea54a56ebad2306f89cac3266d057d7f47282c1a11 | Triage

Sharing

General

Target

d43caa8513d5c833150caaea54a56ebad2306f89cac3266d057d7f47282c1a11.img
Size

1.2MB
Sample

240523-r8gkpaeh84
MD5

cdf2d0ec69cda136a182b17c4e272337
SHA1

3821755c637e4b1bee6053dbbb8cddf26ab553e3
SHA256

d43caa8513d5c833150caaea54a56ebad2306f89cac3266d057d7f47282c1a11
SHA512

482ef8aa1120c6ee5e1b5d68a1d2e957a94fbb73c39ed3dcc0f0ceaa4b35a7b2c3d8116cdbd90458240cfa454f4fb7fb07443f8dcf62c3cacceee85d17fec060
SSDEEP

192:3jY2yDwVFJs7R6/F53IYG8NJu0aTV/cFaFrmxpCz6cf:1/Jh/FNImyfTV/xrmxpCz6c

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.medicalhome.com.pe
Port:
587
Username:
info@medicalhome.com.pe
Password:
MHinfo01
Email To:
og.bahd@yandex.ru

Targets

- Target
  
  SKIIP 83EC125T1 22-0-05-24RQ.vbs
- Size
  
  5KB
- MD5
  
  62bc79cdf5d55f891ae6d2a662cb87fc
- SHA1
  
  2ab352feb12da98eca4c5ec9ce4b349f5731ab50
- SHA256
  
  d14ef42bd2f3ecb7ff2e7ea8b7fd79b06f5b048c2f181381b5f8b790b7228f3b
- SHA512
  
  1335d32fa999b5f3729f0b94caf214e09b78c9f3108c05e8fb6fddb828f7d8049a17c2e1b72ca12203ebdda0141d22c326e1986057677fdb9efe6970638c7db2
- SSDEEP
  
  96:QsLisJvmYz2W6/F5J9eI8L7YMH8NJPW0agOVTLU5VFPB5Gv9rmJ/pCz6cfp:QJs7R6/F53IYG8NJu0aTV/cFaFrmxpCv
Score

10^/10

agenttesla keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslakeyloggerpersistencespywarestealertrojan

behavioral2

agentteslakeyloggerpersistencespywarestealertrojan