agenttesla | 51e66da9edde893a5256802ac71b04360925d3b5cf5f61f8b46a70420400c182 | Triage

Submit
Reports

Overview

overview

Static

static

3

PAID US$2380.exe

windows7-x64

PAID US$2380.exe

windows10-2004-x64

Sharing

General

Target

da3cb4449b0d38df5c78fdc589771a32_JaffaCakes118
Size

344KB
Sample

240911-ngjn7axdjq
MD5

da3cb4449b0d38df5c78fdc589771a32
SHA1

348594d32f27f3afb56618269c990b583bf39871
SHA256

51e66da9edde893a5256802ac71b04360925d3b5cf5f61f8b46a70420400c182
SHA512

c9db32034cc02cfc1458999a2566f0e83d2c75d298ac04862cf516e0c9ec5f387b8761e9161da582954784ee7e9335e9a1f103d4074b9b6f59a0fafc936f9425
SSDEEP

6144:U0fvYAgXekqHDezyQWje1sraBVea7IaybZXwp51Sy7FWWASZ2xCw3mGigC:/QkB8yDC10a7f7CRo19WW92xCw3N+

Score

10^/10

agenttesla discovery evasion keylogger spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

PAID US$2380.exe

Resource

win7-20240903-en

agenttesla discovery evasion keylogger spyware stealer trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

PAID US$2380.exe

Resource

win10v2004-20240802-en

agenttesla discovery evasion keylogger spyware stealer trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.elcomonline.com
Port:
587
Username:
[email protected]
Password:
Elcom@302

Targets

- Target
  
  PAID US$2380.exe
- Size
  
  434KB
- MD5
  
  738600a951d6d1a0a4ffca28e6b993a8
- SHA1
  
  11acdddd45b31a8fa300ddf85eca49de51ce31e9
- SHA256
  
  96bb500afd48645a966af87ba319dc72388964f84726552f72f31c936c7628b2
- SHA512
  
  052509a721b207d1152cb51f83c6f150a912a0b05bafdb6c4a91d505652825f5c83b4b450d6617bfd30a3251c8ed925edc56d328edb7c223897e155c2faee331
- SSDEEP
  
  12288:Bmzy2MAvE9XVvQxEVpv7sJqYJS50QRfjGbI1p2WVexCz:B/sUYAFhjGbmexCz
Score

10^/10

agenttesla discovery evasion keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- AgentTesla payload
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Windows security modification
  evasion trojan
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Create or Modify System Process

Windows Service

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Create or Modify System Process

Windows Service

Scheduled Task/Job

Scheduled Task

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agenttesladiscoveryevasionkeyloggerspywarestealertrojan

behavioral2

agenttesladiscoveryevasionkeyloggerspywarestealertrojan

© 2018-2024

Terms | Privacy