agenttesla | a5a6ca0edf619cdc266bea9b0ae2b45f347659f5bafdb2ecf1c83ecd56d62836 | Triage

Sharing

General

Target

3.rar
Size

1.0MB
Sample

240920-rfmw1a1arr
MD5

f37aa301fd82fb8423ab5106d94352fe
SHA1

34261ea5305faee027fe67237e2ac7a4846f955e
SHA256

a5a6ca0edf619cdc266bea9b0ae2b45f347659f5bafdb2ecf1c83ecd56d62836
SHA512

963cb9dbf6954f94c10360f2e1315c545787cee3be1741b193095f7633e9fc2c210e842a18e54ed00962df6c55b54cac6294f751e4619d9bc3779be2ebb80378
SSDEEP

24576:xH7+qvoOP8LCi8W/U/8Gsel5AUcLHRabfu9bgQHhV4:xbNP8Es9UeQ8bgk4

Score

10^/10

agenttesla credential_access discovery keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
162.254.34.31
Port:
587
Username:
[email protected]
Password:
M992uew1mw6Z
Email To:
[email protected]

Targets

- Target
  
  SOA_Doc_1002205.exe
- Size
  
  1.1MB
- MD5
  
  30ee5aed8f77d9ce4dcb25caea725c9a
- SHA1
  
  31bac1bab25c06fb44461f8bf7e78d6026fc0432
- SHA256
  
  0135e5366b17a1a4b8c0d07d6784bb327c0ba2883ec8220e82903e910e94d597
- SHA512
  
  b5060c1b8fbe9c1c4bbd58e82a2ce51e1c99a6484ca7f02bac869b0202602f4194db061c0414effc6ca1953a8fc24ad3d8a64fbb814233f34c3d6d506087ab17
- SSDEEP
  
  24576:hh053QYI8yAiAtUFzI6XdYBd65LZ5Ep/CtJ3zbBgakmf:+QYIqiAtOLfEp/C/DNgad
Score

10^/10

discovery persistence agenttesla credential_access keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoverypersistence

behavioral2

agentteslacredential_accessdiscoverykeyloggerpersistencespywarestealertrojan