agenttesla | d0a7ab9caee180be753904440f83e6cb505ff4e5bf3790201084dfc365a7ba6d | Triage

Sharing

General

Target

19092024_0636_ECF 2024_864.pdf.js.gz
Size

233KB
Sample

240919-hcypnawakr
MD5

e985ab4bf9a751ba5ef25004ef936b0c
SHA1

70ddd798be253e4c4b0cc2184fd65627a5055b7f
SHA256

d0a7ab9caee180be753904440f83e6cb505ff4e5bf3790201084dfc365a7ba6d
SHA512

69912542ca11c4fbb060676dd11bc13bad4eefee9adba4cd7d8b9a8c677bb8ff4c9ba44649ffef30cbffa59e705b6209d98afe3fa8d2a427eb2625565a8b1424
SSDEEP

6144:FahkIF+S4Egs6lQsSzbMsq+Kk7vl0Rk37aoAYCFq:FI0SvsZS/Mz+KkGqtAVq

Score

10^/10

agenttesla credential_access discovery execution keylogger spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia904601.us.archive.org/6/items/detah-note-j/DetahNoteJ.txt

exe.dropper

https://ia904601.us.archive.org/6/items/detah-note-j/DetahNoteJ.txt

Extracted

Credentials

Protocol: smtp
Host:
mail.detarcoopmedical.com
Port:
587
Username:
[email protected]
Password:
To$zL%?nhDHN

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.detarcoopmedical.com
Port:
587
Username:
[email protected]
Password:
To$zL%?nhDHN
Email To:
[email protected]

Targets

- Target
  
  ECF 2024_864.pdf.js
- Size
  
  601KB
- MD5
  
  1209aa3c1e362933feb8865c34f2a4ee
- SHA1
  
  91d4969e93f600480f20399fc2343448dadd8526
- SHA256
  
  5887f2482c2d989943b76bb2c63d4809e019e6a993e60b66d776132503658f7d
- SHA512
  
  4ee970984f0550f75b6f56102181a439f8428735c3ea3b0716d3fdbb1c60fa4e5a8350aa45f544e1a8cf368597819949df67c56657e5594561b86a941236b695
- SSDEEP
  
  12288:HZhY3S3w+Z45JZ+3fUqHwiPAlpIyvvQ54UBPOX8a1Gepxfa+rjuCi5oKjXdbdOv1:fYi3PGLx3USi5UwwB
Score

10^/10

execution agenttesla credential_access discovery keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

agentteslacredential_accessdiscoveryexecutionkeyloggerspywarestealertrojan