agenttesla | 850e04f732c4bfbbc9be64efd835b5bbcedb83854427946611ca19aeaffeaa27 | Triage

Sharing

General

Target

19092024_0650_Image_001.vbs.zip
Size

182KB
Sample

240919-hl2gxawdmn
MD5

71c4c568734a6f8d1f6a198b5f7f87f2
SHA1

232c6a6b2e0af6c65d860acceaa0eebec531ca58
SHA256

850e04f732c4bfbbc9be64efd835b5bbcedb83854427946611ca19aeaffeaa27
SHA512

27fb0e516799c3a3161b66a3c5179cb0b9a976b9a0e76379fe35df62e8a8998b0cf6bc1b44f4491fb814853722ec39a763ab522c41c84c0a1f38ab046babdb15
SSDEEP

3072:FUI8+ODuT11yEcyEjZtAEmhovozc4U7xiYymAWT/Vk6RicqG8T1tEh9sOUIdKEr:Fb8uHyEcTjZuEZAzvU7x4v6RiO8nEhVl

Score

10^/10

agenttesla credential_access discovery execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

exe.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6852245174:AAHgk_9s-tH6YNacTaCnQz56uJMggI0fZDw/

Targets

- Target
  
  Image_001.vbs
- Size
  
  507KB
- MD5
  
  369b2913abd7a1e2ecfeea185e737e61
- SHA1
  
  eb9431fc12b373c216e2c89af2cfdafdc5dae727
- SHA256
  
  8264386f0b6a0e9b2aa5f908dc3909f4b8a61b619edb269baf56bf7112ae100e
- SHA512
  
  e6e02f36641a087c1e437885c1b432e325f6b805ba371093302092912065515efe090121ea54f432ea6e23c466a44635c426efbaad2268cf03c251b0657f8f9b
- SSDEEP
  
  12288:bsD8YhlqjFf0pIWLNvd5/iaPr4/Is0en9sAWxihGmxLyKSHPh72RwsZIohgrVVMA:jcj6whXoTMA0t
Score

10^/10

execution agenttesla credential_access discovery keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

agentteslacredential_accessdiscoveryexecutionkeyloggerpersistencespywarestealertrojan