agenttesla | 5fa2d320a9309582f3b8d589a6b776b586bf9247af39c831a86b4d5a3ef0f51f | Triage

Sharing

General

Target

fb3d40d2969ae5f7b9bb2b6298963581_JaffaCakes118
Size

1.2MB
Sample

240928-bra4kszbkr
MD5

fb3d40d2969ae5f7b9bb2b6298963581
SHA1

b926b405620c6ee5dfcc7536dc197d1f6e4c1093
SHA256

5fa2d320a9309582f3b8d589a6b776b586bf9247af39c831a86b4d5a3ef0f51f
SHA512

a1217dc6db25b396b5f8b111e446c81d2ff5c5e8339e23fc1c66e15a2cfd5024cada2e69c5daf66b31d793586ebe552a3c6a427f2528c8eb35677099c0c732f9
SSDEEP

6144:KE/gzZZ0mSLAkBTsvgYoxBAosUXBQsnJ/vY3ZFbvC2BoaaVAcL7n:K3zZZ0mXWTsoYoxZsUXBQCo3XK3VAcX

Score

10^/10

agenttesla collection defense_evasion discovery keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.petroleumintegrated-ae.com
Port:
587
Username:
[email protected]
Password:
)dZfkI%9

Targets

- Target
  
  dhl_address_form.exe
- Size
  
  700KB
- MD5
  
  2609ae8c66f7d758472da101042c3548
- SHA1
  
  c787a4d4d919399f7041839d21a620a2d51fd5c4
- SHA256
  
  e356d7e8758967daa9f5d129eef727202e2c48d2808355924cf247aebc1bd336
- SHA512
  
  0776dbf3a2b0de4e760b12ccd896ebdb25018ec5f8072b3e4c1ec5fbe8a3351ccae5a7c0beaa08feda571dff15c0690b7c132b95b523d6451ce7eb1a5d64d28f
- SSDEEP
  
  6144:kE/gzZZ0mSLAkBTsvgYoxBAosUXBQsnJ/vY3ZFbvC2BoaaVAcL7n:k3zZZ0mXWTsoYoxZsUXBQCo3XK3VAcX
Score

10^/10

agenttesla collection defense_evasion discovery keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- System Binary Proxy Execution: InstallUtil
  Abuse InstallUtil to proxy execution of malicious code.
  defense_evasion
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

System Binary Proxy Execution

InstallUtil

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslacollectiondefense_evasiondiscoverykeyloggerspywarestealertrojan

behavioral2

agentteslacollectiondefense_evasiondiscoverykeyloggerspywarestealertrojan