agenttesla | 7df729859c228320bad86d56619699472112fcdab2099c720771a9b24d2a76b7 | Triage

Sharing

General

Target

7df729859c228320bad86d56619699472112fcdab2099c720771a9b24d2a76b7
Size

620KB
Sample

240829-pav93szhra
MD5

13eb873c3deb96c6f203471ae34333cb
SHA1

61ef1250d4a0299cdf7ebc32ccc46ba0fd15e8ee
SHA256

7df729859c228320bad86d56619699472112fcdab2099c720771a9b24d2a76b7
SHA512

12d74835fd1f38313ae9721581bb7e88bf7de82813938d8e867948c6756c2284d5c0f2d318e36a4b1664686b0c296088a0cacc815228f99b1426b3e28215ab44
SSDEEP

12288:C41+B+6EJV2a+QoAdXm3BA1joiJhDmJSp6RCeyi7tEH38utrORSkV3wcvRA0:X31Ya9dXm36VKJq6RCeyiRbhS2R

Score

10^/10

agenttesla credential_access discovery keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.iaa-airferight.com
Port:
587
Username:
[email protected]
Password:
webmaster
Email To:
[email protected]

Targets

- Target
  
  Balance payment.exe
- Size
  
  1.2MB
- MD5
  
  2a9d09fc65e58d1589d0d10eb43c094a
- SHA1
  
  411e29bdd4bf197ad7a44d4c675e0c0dd78538dd
- SHA256
  
  0fc79caa00d59d4864ef9d4218cf238e52ae8208906c8e4d0a5d8e81c3607eb4
- SHA512
  
  b67e6fb8a2a8d521ba395b8596c2d46212e631d1e04ccc0e67a0a50d6bd42943d1ff2b1aa9a4f317a1cc4fadfa930c80c4b88f97d484cd5ef0b6d3b82a4bd820
- SSDEEP
  
  24576:YB6iYOAM4OF+PMwrSVlbmfDYkhDvGtjXtGUAF9kJ7MqudghfEuCj0hThiHHxlhV0:YBDMw8LrMx
Score

10^/10

agenttesla credential_access discovery keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Discovery

Remote System Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslacredential_accessdiscoverykeyloggerpersistencespywarestealertrojan

behavioral2

agentteslacredential_accessdiscoverykeyloggerpersistencespywarestealertrojan