agenttesla | 79c5102316d9d99b55f51c53550a99b9ccef58f7386d79601a314029625c87aa | Triage

Sharing

General

Target

79c5102316d9d99b55f51c53550a99b9ccef58f7386d79601a314029625c87aa.exe
Size

346KB
Sample

240809-wzcbtsxerc
MD5

3470b26b4f683b2c79794d5a71b5d681
SHA1

cb17633bfb7e935c0ff9b9aded16ec64cd45880b
SHA256

79c5102316d9d99b55f51c53550a99b9ccef58f7386d79601a314029625c87aa
SHA512

2c7cae1b505c98c07873f592087bbc864600a80be8f33069417e67d35ed5f221fcee96eea3b230c4c3b8a3096c8c99f11187977be31af537490b5757d4eb55c4
SSDEEP

6144:0Mm4CCe7fZXJPg3h/tZfbbFNKU7IUqIO/P8XbCo/32TIKaWEPgHT02ED1sgMo:0Mwd2Vpb5pyEXbb/m5t0WI

Score

10^/10

agenttesla guloader credential_access discovery downloader keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.synergyinnovationsgroup.com
Port:
587
Username:
[email protected]
Password:
C@p-Y8BoHc#?
Email To:
[email protected]

Targets

- Target
  
  79c5102316d9d99b55f51c53550a99b9ccef58f7386d79601a314029625c87aa.exe
- Size
  
  346KB
- MD5
  
  3470b26b4f683b2c79794d5a71b5d681
- SHA1
  
  cb17633bfb7e935c0ff9b9aded16ec64cd45880b
- SHA256
  
  79c5102316d9d99b55f51c53550a99b9ccef58f7386d79601a314029625c87aa
- SHA512
  
  2c7cae1b505c98c07873f592087bbc864600a80be8f33069417e67d35ed5f221fcee96eea3b230c4c3b8a3096c8c99f11187977be31af537490b5757d4eb55c4
- SSDEEP
  
  6144:0Mm4CCe7fZXJPg3h/tZfbbFNKU7IUqIO/P8XbCo/32TIKaWEPgHT02ED1sgMo:0Mwd2Vpb5pyEXbb/m5t0WI
Score

10^/10

discovery agenttesla guloader credential_access downloader keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/LangDLL.dll
- Size
  
  5KB
- MD5
  
  08de81a4584f5201086f57a7a93ed83b
- SHA1
  
  266a6ecc8fb7dca115e6915cd75e2595816841a8
- SHA256
  
  4883cd4231744be2dca4433ef62824b7957a3c16be54f8526270402d9413ebe6
- SHA512
  
  b72e7cea5ce1f4dc64e65a1f683a3ef9e3fa2dc45cf421f569eb461f1fdcc0caf4ff62a872e62b400579f567c6ff9fc3c2e6e020cdca89d96015502c803a09b9
- SSDEEP
  
  48:S46+/1TKYKxbWsptIpBtWZ0iV8jAWiAJCvxft2O2B8mLofjLl:zHuPbOBtWZBV8jAWiAJCdv2CmeL
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  6e55a6e7c3fdbd244042eb15cb1ec739
- SHA1
  
  070ea80e2192abc42f358d47b276990b5fa285a9
- SHA256
  
  acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
- SHA512
  
  2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35
- SSDEEP
  
  192:MenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XBaIwL:M8+Qlt70Fj/lQRY/9VjjgL
Score

3^/10

discovery
behavioral5 behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

agentteslaguloadercredential_accessdiscoverydownloaderkeyloggerspywarestealertrojan

behavioral3

behavioral4

behavioral5

behavioral6