agenttesla | 606724e680cd1b638b4fcd1880a74ac4354198ef70bfff1ad48f6987547f1c2a | Triage

Sharing

Copy URL Twitter E-mail

General

Target

606724e680cd1b638b4fcd1880a74ac4354198ef70bfff1ad48f6987547f1c2a
Size

615KB
Sample

240604-bq2vxaha47
MD5

6150620894da65c261dfcfa1385ced0a
SHA1

29a5430d472c3b423fa7f9ad50574dc70cd5f37f
SHA256

606724e680cd1b638b4fcd1880a74ac4354198ef70bfff1ad48f6987547f1c2a
SHA512

68665f0703146f351f8e4ef1be321dea4198da60c0e3ff5d411885e98f673eda783e5142bac63d46aea9d76363f6e17dc30ec2a3e8527d82b135c3b6a02323bd
SSDEEP

12288:aEC/e96mfbxNWhbtBq/5T4CqVb9pq+In+79G7/1ZNGOn3AScvBZfLawe:ap2fdNabtBM5T4CqVbnqluQNGcGBVTe

Score

10^/10

agenttesla evasion execution keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.thestore99.shop
Port:
587
Username:
[email protected]
Password:
@thestore99.shop
Email To:
[email protected]

Targets

- Target
  
  606724e680cd1b638b4fcd1880a74ac4354198ef70bfff1ad48f6987547f1c2a
- Size
  
  615KB
- MD5
  
  6150620894da65c261dfcfa1385ced0a
- SHA1
  
  29a5430d472c3b423fa7f9ad50574dc70cd5f37f
- SHA256
  
  606724e680cd1b638b4fcd1880a74ac4354198ef70bfff1ad48f6987547f1c2a
- SHA512
  
  68665f0703146f351f8e4ef1be321dea4198da60c0e3ff5d411885e98f673eda783e5142bac63d46aea9d76363f6e17dc30ec2a3e8527d82b135c3b6a02323bd
- SSDEEP
  
  12288:aEC/e96mfbxNWhbtBq/5T4CqVb9pq+In+79G7/1ZNGOn3AScvBZfLawe:ap2fdNabtBM5T4CqVbnqluQNGcGBVTe
Score

10^/10

agenttesla evasion execution keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Windows security modification
  evasion trojan
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

agentteslaevasionexecutionkeyloggerspywarestealertrojan