agenttesla | 2f178bc9b2f478f8c9ff224bca3e6aa5f0e2971eb38fe0454bf55f0900162145 | Triage

Sharing

General

Target

04062024_1803_03062024_Balance payment.7z
Size

775KB
Sample

240604-wm7xzaef7w
MD5

6ae61199ddd2c3b909f76c6ec08ae23f
SHA1

3c225841ab785ee6908edf2315c72bea65b88e4a
SHA256

2f178bc9b2f478f8c9ff224bca3e6aa5f0e2971eb38fe0454bf55f0900162145
SHA512

76b2eaeb599e651d53f56bd833f063deae1c0614204129b7d24159432735f23bc9142458214aa729c8ccf946b9401e7e9fed2d2f9aa3ff6fa0a0d4c32d29c5df
SSDEEP

12288:oXonMbbYbaSiEBVgmvE3IGr1+VbscFgxDXVIJS/SNVclHl27fDrKRg5ZlT9RacgW:oiMbwXr3UamNSJySCs77+alPgW

Score

10^/10

agenttesla execution keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.iaa-airferight.com
Port:
587
Username:
[email protected]
Password:
webmaster
Email To:
[email protected]

Targets

- Target
  
  Balance payment.exe
- Size
  
  1.1MB
- MD5
  
  381818e580f43857b5dd3da539308e69
- SHA1
  
  3735e0d48dd8f7cc9988b319cd62c68ec0d40a4c
- SHA256
  
  57b6b7a5011b1e0d3b8a43da9c78528e3a133cd20f5f9cf72c6359dab423693a
- SHA512
  
  7ebb9a3bb8e240d334271ca5496a7400096fb142a0c80f8f5865e477e20093be85afc5278367f599be7e9738d405a75b5dcef38ded06b4cb2a1ecde7453e8736
- SSDEEP
  
  24576:XJ1049HlMMkkelLuAmJyrAs7+1/G06nnjqKoes:c2HlLkdlLuA+yF7YqjqKoes
Score

10^/10

agenttesla execution keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslaexecutionkeyloggerspywarestealertrojan

behavioral2

agentteslaexecutionkeyloggerspywarestealertrojan