agenttesla | 3992784614112361e6f52a59f99526a834a1a471eb74b708605d6d90188848af | Triage

Sharing

General

Target

INQUIRY#46789-AUG24.js
Size

616KB
Sample

240829-gmgcpawhkb
MD5

c32b30698d7c4e0f9d674e7809f10fb6
SHA1

522077297fecddea89006116313701d923b65000
SHA256

3992784614112361e6f52a59f99526a834a1a471eb74b708605d6d90188848af
SHA512

0d5fade8b6174054f062ba801eff0b516d99276afd67013aa691ac027933abd4d60bf73c1a253864ffbe40a0141cf7acd6ff95fb0097d99075af5f13bc9fd459
SSDEEP

12288:G2/iUeEUN6ULhg/ndgF+xjvvT2ZBxoQ3MhzxVDYzayq8Q5CJY0smYkBQPU7H8C6X:G2XFPj6GmEgpj6AZs

Score

10^/10

agenttesla credential_access discovery execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg

exe.dropper

https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
cp8nl.hyperhost.ua
Port:
587
Username:
[email protected]
Password:
7213575aceACE@#
Email To:
[email protected]

Targets

- Target
  
  INQUIRY#46789-AUG24.js
- Size
  
  616KB
- MD5
  
  c32b30698d7c4e0f9d674e7809f10fb6
- SHA1
  
  522077297fecddea89006116313701d923b65000
- SHA256
  
  3992784614112361e6f52a59f99526a834a1a471eb74b708605d6d90188848af
- SHA512
  
  0d5fade8b6174054f062ba801eff0b516d99276afd67013aa691ac027933abd4d60bf73c1a253864ffbe40a0141cf7acd6ff95fb0097d99075af5f13bc9fd459
- SSDEEP
  
  12288:G2/iUeEUN6ULhg/ndgF+xjvvT2ZBxoQ3MhzxVDYzayq8Q5CJY0smYkBQPU7H8C6X:G2XFPj6GmEgpj6AZs
Score

10^/10

execution agenttesla credential_access discovery keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

agentteslacredential_accessdiscoveryexecutionkeyloggerpersistencespywarestealertrojan