agenttesla | 61026638bd73c47fc0da3f6f4e61e7ecadbd798da553749fdd4303079981bce6 | Triage

Sharing

General

Target

61026638bd73c47fc0da3f6f4e61e7ecadbd798da553749fdd4303079981bce6
Size

235KB
Sample

240828-x9s8rssckh
MD5

98e72dc9d7f5b9e39832960c6f0787ef
SHA1

403843ece5a931f42ba921bc66e57a5e0e50e6a5
SHA256

61026638bd73c47fc0da3f6f4e61e7ecadbd798da553749fdd4303079981bce6
SHA512

fe6d99eec9224a04aa386156bc292dd2088eda87cf9a245ff9930aa407f33ea8e2962fb6119c80f1ff43634ef5a4bc9901f79ef53130f0999847b4482b2c65ab
SSDEEP

6144:RIM5bVUS0YnauJKZum/+JREa0KpBDP+q3T2l0169:RH5b2VJuCCbZpxpj2j

Score

10^/10

agenttesla credential_access discovery execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg

exe.dropper

https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
cp8nl.hyperhost.ua
Port:
587
Username:
[email protected]
Password:
7213575aceACE@#
Email To:
[email protected]

Targets

- Target
  
  INQUIRY#46789-AUG24.js
- Size
  
  616KB
- MD5
  
  c32b30698d7c4e0f9d674e7809f10fb6
- SHA1
  
  522077297fecddea89006116313701d923b65000
- SHA256
  
  3992784614112361e6f52a59f99526a834a1a471eb74b708605d6d90188848af
- SHA512
  
  0d5fade8b6174054f062ba801eff0b516d99276afd67013aa691ac027933abd4d60bf73c1a253864ffbe40a0141cf7acd6ff95fb0097d99075af5f13bc9fd459
- SSDEEP
  
  12288:G2/iUeEUN6ULhg/ndgF+xjvvT2ZBxoQ3MhzxVDYzayq8Q5CJY0smYkBQPU7H8C6X:G2XFPj6GmEgpj6AZs
Score

10^/10

execution agenttesla credential_access discovery keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

agentteslacredential_accessdiscoveryexecutionkeyloggerpersistencespywarestealertrojan