agenttesla | 75ae08a3551577bab675fa1b9263e6eb6173be749864b0b073ed535cf57597b9 | Triage

Sharing

General

Target

PO#0094321.exe
Size

689KB
Sample

240618-qext5syglm
MD5

e938208917aa519c849d75e33c77214f
SHA1

ab4a3013de343543309fd80e593ae1e66d4da166
SHA256

75ae08a3551577bab675fa1b9263e6eb6173be749864b0b073ed535cf57597b9
SHA512

599562228352a9138f2f9b7131f415739ce75668d8067abd14d8c5edad6329cc716fc848b678d418e99a69491a949d8d571b990e84855bfbfca8f2c27d3e5258
SSDEEP

12288:t2iNvFIsPAdbMybkIrlZlI/5+cYH2ViL+x8LEvHCqQwQqPbuFz1ycHshxk:t1DIKabOIrlZlu+cViyx8L0H5KFoqg

Score

10^/10

agenttesla execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
[email protected]
Password:
qqvQB2@@@@@
Email To:
[email protected]

Targets

- Target
  
  PO#0094321.exe
- Size
  
  689KB
- MD5
  
  e938208917aa519c849d75e33c77214f
- SHA1
  
  ab4a3013de343543309fd80e593ae1e66d4da166
- SHA256
  
  75ae08a3551577bab675fa1b9263e6eb6173be749864b0b073ed535cf57597b9
- SHA512
  
  599562228352a9138f2f9b7131f415739ce75668d8067abd14d8c5edad6329cc716fc848b678d418e99a69491a949d8d571b990e84855bfbfca8f2c27d3e5258
- SSDEEP
  
  12288:t2iNvFIsPAdbMybkIrlZlI/5+cYH2ViL+x8LEvHCqQwQqPbuFz1ycHshxk:t1DIKabOIrlZlu+cViyx8L0H5KFoqg
Score

10^/10

agenttesla execution keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslaexecutionkeyloggerpersistencespywarestealertrojan

behavioral2

agentteslaexecutionkeyloggerpersistencespywarestealertrojan