agenttesla

General

Target

988cecb39c8ff652b9f6f677c11c53279ffb166608acf3cbd4aa7cafc6019800
Size

1.0MB
Sample

240524-a7h9fsfb8y
MD5

ccdd09951364a23f760ac5b6425dabe4
SHA1

00f370ab98cbbd7cb81b522b52154859240a1f7c
SHA256

988cecb39c8ff652b9f6f677c11c53279ffb166608acf3cbd4aa7cafc6019800
SHA512

c0d7f193e92060a14eed04e867a4b57004e0acd63118e97f921e9d6707242ad8e62a744ab4f6f1f7ed8776df0ffd3c5738bae2fd74d60da977b5fb8d751e1fa4
SSDEEP

24576:2R+ow4bjw4b0LqM4oxEK8GPMdiXCC3MkejWIF5y73:2Rrw4bjw4b0/XPMdiyC3M/So5E3

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.greenimpressionbd.com
Port:
587
Username:
[email protected]
Password:
Rumizaman123
Email To:
[email protected]

Targets

- Target
  
  988cecb39c8ff652b9f6f677c11c53279ffb166608acf3cbd4aa7cafc6019800
- Size
  
  1.0MB
- MD5
  
  ccdd09951364a23f760ac5b6425dabe4
- SHA1
  
  00f370ab98cbbd7cb81b522b52154859240a1f7c
- SHA256
  
  988cecb39c8ff652b9f6f677c11c53279ffb166608acf3cbd4aa7cafc6019800
- SHA512
  
  c0d7f193e92060a14eed04e867a4b57004e0acd63118e97f921e9d6707242ad8e62a744ab4f6f1f7ed8776df0ffd3c5738bae2fd74d60da977b5fb8d751e1fa4
- SSDEEP
  
  24576:2R+ow4bjw4b0LqM4oxEK8GPMdiXCC3MkejWIF5y73:2Rrw4bjw4b0/XPMdiyC3M/So5E3
Score

10^/10

agenttesla execution keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect packed .NET executables. Mostly AgentTeslaV4.
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects executables referencing Windows vault credential objects. Observed in infostealers
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- Detects executables referencing many file transfer clients. Observed in information stealers
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect packed .NET executables. Mostly AgentTeslaV4.

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects executables referencing Windows vault credential objects. Observed in infostealers

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Detects executables referencing many email and collaboration clients. Observed in information stealers

Detects executables referencing many file transfer clients. Observed in information stealers

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2