agenttesla | 0740099619ddb94ecd697c63011b3240d301c53ebb639fca9f19d855ab584017 | Triage

Sharing

General

Target

fa9f8685606ff7be164638dcea021b2e_JaffaCakes118
Size

379KB
Sample

240927-serdgaxhmj
MD5

fa9f8685606ff7be164638dcea021b2e
SHA1

38fe67d0575b51071168a67b5b827a7d2ae573b3
SHA256

0740099619ddb94ecd697c63011b3240d301c53ebb639fca9f19d855ab584017
SHA512

2f88367537698790596035a4c6fa0cd96241837610c294fc9be4cb860617c7ef2e1be8fb47a4c8b2ae506fbc0a4d3f9928a5be39d1b26d56c39090410d5712af
SSDEEP

6144:TtsA0/FR+PbiCywMOfDEaxb+kCmmpuqzNWtQPj05xtyIRo25seoFVY9UGJ9L/BGf:KAMylywMObKkzOVUtkoKGoca4XLY

Score

10^/10

agenttesla collection credential_access discovery keylogger persistence rezer0 spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.aquariuslogistics.com
Port:
587
Username:
[email protected]
Password:
AQL@2019#$

Targets

- Target
  
  TT_COPY.exe
- Size
  
  421KB
- MD5
  
  458145b74718d73399391f3cd02e6192
- SHA1
  
  058788cc18f08f58e4104e33b9546f91053102f3
- SHA256
  
  008d79b95dd17c51b103bf87aabf1e5a3ecff06c2ff26a5b5bce23ac1e0dda9c
- SHA512
  
  e44d1fea9445603417ede137eb38462d47b63c035ed9bd81b1c901fa6d98594c54dfb16fee48f7deccad8086b107af7d664e604dc8cce64ee9781aa5d08cae68
- SSDEEP
  
  6144:xDxG2DAohI1g3YNFOvgwXnWgAsLiYRgfcpF0EAWMxRRLmKZ3QW1bGJ1:txGMnhIS3YTfycsBRCcLLAjxRl1gWZa
Score

10^/10

agenttesla collection credential_access discovery keylogger persistence rezer0 spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslacollectioncredential_accessdiscoverykeyloggerpersistencerezer0spywarestealertrojan

behavioral2

agentteslacollectioncredential_accessdiscoverykeyloggerpersistencerezer0spywarestealertrojan