agenttesla | 2e9d474f90a5c43d767c73004a0461ab4375e969fa4f1c30aa6fc3262042f91c | Triage

Sharing

General

Target

2e9d474f90a5c43d767c73004a0461ab4375e969fa4f1c30aa6fc3262042f91c.exe
Size

665KB
Sample

240919-bkgb1staln
MD5

2be4110ed6b10a4b4be3ef34a33662f1
SHA1

b69d958c68834f79a74e37657403f3a8ac1fb239
SHA256

2e9d474f90a5c43d767c73004a0461ab4375e969fa4f1c30aa6fc3262042f91c
SHA512

81cce820bd888d665079ba2c33a10369806ca1c54dc8f50cb5f8609c98ff6b9a6d7bd707e54d2f65b2826fc5c51d092ce21ef2f0b1bcdb411ffacd489001d1f9
SSDEEP

12288:BrVQDZ6cwjwfSVmiGQPbZzYAzSbIQcQzqPveps8P1wEUxMNKUb:BSV+ZzYAzS2kqsUi

Score

10^/10

agenttesla credential_access discovery execution keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://inhanoi.net.vn
Port:
21
Username:
[email protected]
Password:
^TSt3!FK$UBA

Targets

- Target
  
  2e9d474f90a5c43d767c73004a0461ab4375e969fa4f1c30aa6fc3262042f91c.exe
- Size
  
  665KB
- MD5
  
  2be4110ed6b10a4b4be3ef34a33662f1
- SHA1
  
  b69d958c68834f79a74e37657403f3a8ac1fb239
- SHA256
  
  2e9d474f90a5c43d767c73004a0461ab4375e969fa4f1c30aa6fc3262042f91c
- SHA512
  
  81cce820bd888d665079ba2c33a10369806ca1c54dc8f50cb5f8609c98ff6b9a6d7bd707e54d2f65b2826fc5c51d092ce21ef2f0b1bcdb411ffacd489001d1f9
- SSDEEP
  
  12288:BrVQDZ6cwjwfSVmiGQPbZzYAzSbIQcQzqPveps8P1wEUxMNKUb:BSV+ZzYAzS2kqsUi
Score

10^/10

agenttesla credential_access discovery execution keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslacredential_accessdiscoveryexecutionkeyloggerspywarestealertrojan

behavioral2

agentteslacredential_accessdiscoveryexecutionkeyloggerspywarestealertrojan