agenttesla | da41a1b5363b883fb13c819c595ead87b269dba1bfb51b8176669adcdfe49d8a | Triage

Sharing

General

Target

da41a1b5363b883fb13c819c595ead87b269dba1bfb51b8176669adcdfe49d8a.7z
Size

669KB
Sample

240919-b8yafavcrp
MD5

f7aff02f3542e92dd66f93b5e59dadcd
SHA1

881e8d807561657f972e7c0fc36f946faf6cc10e
SHA256

da41a1b5363b883fb13c819c595ead87b269dba1bfb51b8176669adcdfe49d8a
SHA512

9a8aafd568fd3eab103f428d45b8afb44f50c37ea3bf7e0d6c8bf90eb20b965668e59c84f5efe70ced99dfb83729e4e416e5281fcc42448b9ddfc18f3b76a940
SSDEEP

12288:Fjzkpx8txNxA0Phpiv6GFx3u3w/8DxukEf8uMe2HgkTU+OwFR7/hbd9bbt/3Sb:Fn6ufxhJcv5KgAa8u7+gkTUA/7pbd9vU

Score

10^/10

agenttesla credential_access discovery execution keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.iaa-airferight.com
Port:
587
Username:
[email protected]
Password:
manlikeyou88
Email To:
[email protected]

Targets

- Target
  
  Global e-Banking Payment Advice 000000164.exe
- Size
  
  1.0MB
- MD5
  
  bbec860047a8e57d464f8ca00ba3dd9e
- SHA1
  
  25078f4b524446d73844952780b1c80750bc8fc7
- SHA256
  
  617aad709ac7d66890968766cc4b21481d268624d5505963058e7fa10748a57c
- SHA512
  
  a4a0ec4346bb59e39b571f3f058c5211222de0a93cbc570e05cefb5f951a2e44983001c6fd7cfe7ca2bb753fd88db2ae9d64aede2f541af669589db3346827ab
- SSDEEP
  
  24576:8ctTx3fcFSvgIl5urL05mUyl7EbL9j1ui1q:FxvcmurAIEX11u
Score

10^/10

agenttesla credential_access discovery execution keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslacredential_accessdiscoveryexecutionkeyloggerspywarestealertrojan

behavioral2

agentteslacredential_accessdiscoveryexecutionkeyloggerspywarestealertrojan