agenttesla

General

Target

f154ccb1d9e7b8fe43b53c055b89ba3bb6b4626ba307c56225287a4e8495754b.exe
Size

708KB
Sample

240626-b4rbbszejp
MD5

e0026df83e1aa08616a11d9104faad46
SHA1

1740312c7651b432fa0ab47819919ec034f8c67b
SHA256

f154ccb1d9e7b8fe43b53c055b89ba3bb6b4626ba307c56225287a4e8495754b
SHA512

6564396ef6b396ae3ee367e6285924d04b4ee2171af4c58c195a61a1a2093adee4baea01e36e58a616fd70257119945666d95f3a943c0e057f1ec66fb64eeb29
SSDEEP

12288:mYV6MorX7qzuC3QHO9FQVHPF51jgcq556I95wyWr5vkTj5+u4Q3lfT1VP9v:lBXu9HGaVHpm5fWrBkToEV71v

Score

10^/10

Malware Config

Extracted

Family

agenttesla

C2

https://discord.com/api/webhooks/1251110202149699625/eDNZWTFoHBDo8HXw0aunmvGeBWciM4C8KyCpUHy9gEFPn1XyMs30gAsSjfRX6u9Vnuig

Targets

- Target
  
  f154ccb1d9e7b8fe43b53c055b89ba3bb6b4626ba307c56225287a4e8495754b.exe
- Size
  
  708KB
- MD5
  
  e0026df83e1aa08616a11d9104faad46
- SHA1
  
  1740312c7651b432fa0ab47819919ec034f8c67b
- SHA256
  
  f154ccb1d9e7b8fe43b53c055b89ba3bb6b4626ba307c56225287a4e8495754b
- SHA512
  
  6564396ef6b396ae3ee367e6285924d04b4ee2171af4c58c195a61a1a2093adee4baea01e36e58a616fd70257119945666d95f3a943c0e057f1ec66fb64eeb29
- SSDEEP
  
  12288:mYV6MorX7qzuC3QHO9FQVHPF51jgcq556I95wyWr5vkTj5+u4Q3lfT1VP9v:lBXu9HGaVHpm5fWrBkToEV71v
Score

10^/10

agenttesla keylogger spyware stealer trojan upx
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect packed .NET executables. Mostly AgentTeslaV4.
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects executables Discord URL observed in first stage droppers
- Detects executables referencing Windows vault credential objects. Observed in infostealers
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- Detects executables referencing many file transfer clients. Observed in information stealers
- UPX dump on OEP (original entry point)
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect packed .NET executables. Mostly AgentTeslaV4.

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects executables Discord URL observed in first stage droppers

Detects executables referencing Windows vault credential objects. Observed in infostealers

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Detects executables referencing many email and collaboration clients. Observed in information stealers

Detects executables referencing many file transfer clients. Observed in information stealers

UPX dump on OEP (original entry point)

UPX packed file

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

AutoIT Executable

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2