agenttesla | 21f90e0d5e6ecb036950ec462cd6eed6b17b1a231a6220fbc1dda80c118f8b1f | Triage

Sharing

General

Target

Quote_Request.js
Size

320KB
Sample

240923-q48yps1fkb
MD5

409a098455597d7cbc0c56bc2d37f4b5
SHA1

b46f9a53e7fe7ce357a2a4b8d0e0949da320aeea
SHA256

21f90e0d5e6ecb036950ec462cd6eed6b17b1a231a6220fbc1dda80c118f8b1f
SHA512

9709d7ca61ea365fbb2612cea61b2fcb8e4f45af4bd98caf5900ee26ec855cc5b43158073933ebf09f6e78f472c617ccbbe77ea9b235311c7be4aa7b04e71ba7
SSDEEP

6144:c5VUO+uOGvqHKB+X/AUVUFCiaiYQAjOZLzDrQI2e6tYppEQNCo0jV92z6IqWm+W+:075OGvqHKIYU6FCia3QkOVzoIymnxCRu

Score

10^/10

agenttesla credential_access discovery execution keylogger spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia904601.us.archive.org/6/items/detah-note-j/DetahNoteJ.txt

exe.dropper

https://ia904601.us.archive.org/6/items/detah-note-j/DetahNoteJ.txt

Extracted

Credentials

Protocol: smtp
Host:
mail.detarcoopmedical.com
Port:
587
Username:
[email protected]
Password:
To$zL%?nhDHN

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.detarcoopmedical.com
Port:
587
Username:
[email protected]
Password:
To$zL%?nhDHN
Email To:
[email protected]

Targets

- Target
  
  Quote_Request.js
- Size
  
  320KB
- MD5
  
  409a098455597d7cbc0c56bc2d37f4b5
- SHA1
  
  b46f9a53e7fe7ce357a2a4b8d0e0949da320aeea
- SHA256
  
  21f90e0d5e6ecb036950ec462cd6eed6b17b1a231a6220fbc1dda80c118f8b1f
- SHA512
  
  9709d7ca61ea365fbb2612cea61b2fcb8e4f45af4bd98caf5900ee26ec855cc5b43158073933ebf09f6e78f472c617ccbbe77ea9b235311c7be4aa7b04e71ba7
- SSDEEP
  
  6144:c5VUO+uOGvqHKB+X/AUVUFCiaiYQAjOZLzDrQI2e6tYppEQNCo0jV92z6IqWm+W+:075OGvqHKIYU6FCia3QkOVzoIymnxCRu
Score

10^/10

execution agenttesla credential_access discovery keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

agentteslacredential_accessdiscoveryexecutionkeyloggerspywarestealertrojan