agenttesla | eb70e1bf7b7b8c832991f15336b87a7a53d36c4e453e947c947b6eb3941681fc | Triage

Sharing

Copy URL Twitter E-mail

General

Target

eb70e1bf7b7b8c832991f15336b87a7a53d36c4e453e947c947b6eb3941681fc
Size

672KB
Sample

240601-btc1yscg5z
MD5

0a43cb09c3844c984f53200e364dc49a
SHA1

d6e732014d76e02bbeac44ec78febfffb3b7cbb5
SHA256

eb70e1bf7b7b8c832991f15336b87a7a53d36c4e453e947c947b6eb3941681fc
SHA512

aa92f2d0534507a9d3497cac81635b21d5ad50a20226aa659b5409f0b6ead11033e4f56942c86aa41adac45885232bc8018a0e0a6b3218960f09b55a29251abd
SSDEEP

12288:BZMT04Bfe5Q8O0iceAz8IqHbsPFHAcYp5z9XCqK0Z:ETRf8O/ceAzPqHRcYp/5pZ

Score

10^/10

agenttesla evasion execution keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot7482754642:AAG6OsLAyPlWPktRTRm2e2MZvYFBUZOGWlI/

Targets

- Target
  
  eb70e1bf7b7b8c832991f15336b87a7a53d36c4e453e947c947b6eb3941681fc
- Size
  
  672KB
- MD5
  
  0a43cb09c3844c984f53200e364dc49a
- SHA1
  
  d6e732014d76e02bbeac44ec78febfffb3b7cbb5
- SHA256
  
  eb70e1bf7b7b8c832991f15336b87a7a53d36c4e453e947c947b6eb3941681fc
- SHA512
  
  aa92f2d0534507a9d3497cac81635b21d5ad50a20226aa659b5409f0b6ead11033e4f56942c86aa41adac45885232bc8018a0e0a6b3218960f09b55a29251abd
- SSDEEP
  
  12288:BZMT04Bfe5Q8O0iceAz8IqHbsPFHAcYp5z9XCqK0Z:ETRf8O/ceAzPqHRcYp/5pZ
Score

10^/10

agenttesla evasion execution keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Windows security modification
  evasion trojan
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslaevasionexecutionkeyloggerspywarestealertrojan

behavioral2

agentteslaevasionexecutionkeyloggerspywarestealertrojan