agenttesla | 3e0399c730996386f895fb276f727a0dd3095ae40c59ca11b56ed55ae8207285 | Triage

Sharing

General

Target

db45193c0f7beea46dda2ee72efa46a9_JaffaCakes118
Size

553KB
Sample

240911-1lmmvsvdre
MD5

db45193c0f7beea46dda2ee72efa46a9
SHA1

00a1877bcc8b94ab78e9e56b3df67bcbece186cd
SHA256

3e0399c730996386f895fb276f727a0dd3095ae40c59ca11b56ed55ae8207285
SHA512

c34260d0ae9e371eb6c6987f9ccae2db21cf3b239046812aad75887808cee6eda12501249c42c7ceb51fd45ef023fe4f44be6c896f864b7f0f460074877a2957
SSDEEP

12288:ksj4nN3zLB/4eym+XDCtdwpV1xijwwmxKUOJSZVoe3lvWRV:kCkN3H2eyj+tGp3wNiNpVoe3lvCV

Score

10^/10

agenttesla collection credential_access discovery keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.flsrnidth.com
Port:
587
Username:
[email protected]
Password:
BZ^(npqQ6vPH

Targets

- Target
  
  db45193c0f7beea46dda2ee72efa46a9_JaffaCakes118
- Size
  
  553KB
- MD5
  
  db45193c0f7beea46dda2ee72efa46a9
- SHA1
  
  00a1877bcc8b94ab78e9e56b3df67bcbece186cd
- SHA256
  
  3e0399c730996386f895fb276f727a0dd3095ae40c59ca11b56ed55ae8207285
- SHA512
  
  c34260d0ae9e371eb6c6987f9ccae2db21cf3b239046812aad75887808cee6eda12501249c42c7ceb51fd45ef023fe4f44be6c896f864b7f0f460074877a2957
- SSDEEP
  
  12288:ksj4nN3zLB/4eym+XDCtdwpV1xijwwmxKUOJSZVoe3lvWRV:kCkN3H2eyj+tGp3wNiNpVoe3lvCV
Score

10^/10

agenttesla collection credential_access discovery keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla payload
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Scripting

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslacollectioncredential_accessdiscoverykeyloggerpersistencespywarestealertrojan

behavioral2

agentteslacollectioncredential_accessdiscoverykeyloggerpersistencespywarestealertrojan