agenttesla | 8f58aa2f3549e2b9449f530eb6bf91bb4b0be997b97c65245aeb99baa55fdfb9 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

8f58aa2f3549e2b9449f530eb6bf91bb4b0be997b97c65245aeb99baa55fdfb9
Size

760KB
Sample

240802-b5k6psshng
MD5

cde7970091a0b3fd19f7f8f3a855b583
SHA1

6c55f16de86b9dc9052c5e2fe2d94ce6d7e79e9e
SHA256

8f58aa2f3549e2b9449f530eb6bf91bb4b0be997b97c65245aeb99baa55fdfb9
SHA512

19bd3514fdf5d0ff6b47268795bd13c03401d6adb74553e578b7bf40b1c5219ebb7fd40c9f587ff8cf1f3a1f7d834ac5cb006c66d0374badc7d897033625cdeb
SSDEEP

12288:zU3929BC4rqhpfVIbQMjRq/3ml/bCoygRFg+48MMOI/bxqbyoZ48oLBbl+d/WDwt:zU89BNuhEbQM62UPjZU/lqjY1ZUW8t

Score

10^/10

agenttesla credential_access discovery execution keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
phoenixblowers.com
Port:
587
Username:
[email protected]
Password:
Officeback@2022#
Email To:
[email protected]

Targets

- Target
  
  8f58aa2f3549e2b9449f530eb6bf91bb4b0be997b97c65245aeb99baa55fdfb9
- Size
  
  760KB
- MD5
  
  cde7970091a0b3fd19f7f8f3a855b583
- SHA1
  
  6c55f16de86b9dc9052c5e2fe2d94ce6d7e79e9e
- SHA256
  
  8f58aa2f3549e2b9449f530eb6bf91bb4b0be997b97c65245aeb99baa55fdfb9
- SHA512
  
  19bd3514fdf5d0ff6b47268795bd13c03401d6adb74553e578b7bf40b1c5219ebb7fd40c9f587ff8cf1f3a1f7d834ac5cb006c66d0374badc7d897033625cdeb
- SSDEEP
  
  12288:zU3929BC4rqhpfVIbQMjRq/3ml/bCoygRFg+48MMOI/bxqbyoZ48oLBbl+d/WDwt:zU89BNuhEbQM62UPjZU/lqjY1ZUW8t
Score

10^/10

agenttesla credential_access discovery execution keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslacredential_accessdiscoveryexecutionkeyloggerspywarestealertrojan

behavioral2

agentteslacredential_accessdiscoveryexecutionkeyloggerspywarestealertrojan