agenttesla | 664cbec4215dba42dba423568eb901d26b2ded90931b6ca6e968a85c20161297 | Triage

Sharing

General

Target

664cbec4215dba42dba423568eb901d26b2ded90931b6ca6e968a85c20161297
Size

741KB
Sample

240606-bg25baeb97
MD5

d5bb3211be415e1bc4ef29249e98bd96
SHA1

29ec0f06006f8ba82ad3f0a94374ea85e16d0870
SHA256

664cbec4215dba42dba423568eb901d26b2ded90931b6ca6e968a85c20161297
SHA512

d0075a4ea8d4cf023a3a2c7379f3dc9c81ea9ea20469151d4fe555535fa403a800f566f848f1db1343991c5354fdd75f4ccd4f87dea5350e98602e8b9e6bead3
SSDEEP

12288:ugsrT835g+iqyJMjvDdLncHtD5V+yKvN3tlkTe9JL3Z6R8GUYAIIqJhOFTXILS:35OIdGKyAdlk053Z6qGU4LO

Score

10^/10

agenttesla execution keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.merlinmotorworks.com
Port:
587
Username:
[email protected]
Password:
Merlin1080S
Email To:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
mail.merlinmotorworks.com
Port:
587
Username:
[email protected]
Password:
Merlin1080S

Targets

- Target
  
  664cbec4215dba42dba423568eb901d26b2ded90931b6ca6e968a85c20161297
- Size
  
  741KB
- MD5
  
  d5bb3211be415e1bc4ef29249e98bd96
- SHA1
  
  29ec0f06006f8ba82ad3f0a94374ea85e16d0870
- SHA256
  
  664cbec4215dba42dba423568eb901d26b2ded90931b6ca6e968a85c20161297
- SHA512
  
  d0075a4ea8d4cf023a3a2c7379f3dc9c81ea9ea20469151d4fe555535fa403a800f566f848f1db1343991c5354fdd75f4ccd4f87dea5350e98602e8b9e6bead3
- SSDEEP
  
  12288:ugsrT835g+iqyJMjvDdLncHtD5V+yKvN3tlkTe9JL3Z6R8GUYAIIqJhOFTXILS:35OIdGKyAdlk053Z6qGU4LO
Score

10^/10

agenttesla execution keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslaexecutionkeyloggerspywarestealertrojan

behavioral2

agentteslaexecutionkeyloggerspywarestealertrojan