agenttesla | 4a1e40508379562e5cfe14681fc7f17d647b158f00a1cdef8eb3f6d2e0f423a0 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

1

4a1e405083...0.xlam

windows7-x64

4a1e405083...0.xlam

windows10-2004-x64

1

Sharing

General

Target

4a1e40508379562e5cfe14681fc7f17d647b158f00a1cdef8eb3f6d2e0f423a0.xlsx
Size

675KB
Sample

240607-bzgakafd3x
MD5

71e83cfe190375b478e42933ac4e1997
SHA1

bd4ce42a4599837b7a819e41ab740881f2f9bbd1
SHA256

4a1e40508379562e5cfe14681fc7f17d647b158f00a1cdef8eb3f6d2e0f423a0
SHA512

a7a1fb14380353be5200ab7360a7338b8fe93f93f614faa03cfc296a9f87a7c8188cd09ecc06ef30192ffcbd8d4da25b95dae77d70a12755769e232dd6d82bb3
SSDEEP

12288:DQnWa/bT29nrmgHgFSPn643Cyne30ZPN9P2X9CcDhZ28mGEWOVPJ9u0aJ2BrupA+:sMAs6A1e3of2XM01mtVxEpQBrdGDYw

Score

10^/10

agenttesla keylogger spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

4a1e40508379562e5cfe14681fc7f17d647b158f00a1cdef8eb3f6d2e0f423a0.xlam

Resource

win7-20240508-en

agenttesla keylogger spyware stealer trojan

windows7-x64

26 signatures

150 seconds

Behavioral task

behavioral2

Sample

4a1e40508379562e5cfe14681fc7f17d647b158f00a1cdef8eb3f6d2e0f423a0.xlam

Resource

win10v2004-20240508-en

windows10-2004-x64

7 signatures

150 seconds

Malware Config

Targets

- Target
  
  4a1e40508379562e5cfe14681fc7f17d647b158f00a1cdef8eb3f6d2e0f423a0.xlsx
- Size
  
  675KB
- MD5
  
  71e83cfe190375b478e42933ac4e1997
- SHA1
  
  bd4ce42a4599837b7a819e41ab740881f2f9bbd1
- SHA256
  
  4a1e40508379562e5cfe14681fc7f17d647b158f00a1cdef8eb3f6d2e0f423a0
- SHA512
  
  a7a1fb14380353be5200ab7360a7338b8fe93f93f614faa03cfc296a9f87a7c8188cd09ecc06ef30192ffcbd8d4da25b95dae77d70a12755769e232dd6d82bb3
- SSDEEP
  
  12288:DQnWa/bT29nrmgHgFSPn643Cyne30ZPN9P2X9CcDhZ28mGEWOVPJ9u0aJ2BrupA+:sMAs6A1e3of2XM01mtVxEpQBrdGDYw
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect packed .NET executables. Mostly AgentTeslaV4.
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects executables referencing Windows vault credential objects. Observed in infostealers
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- Detects executables referencing many file transfer clients. Observed in information stealers
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslakeyloggerspywarestealertrojan

behavioral2

© 2018-2025

Terms | Privacy