agenttesla | 98816956b52fb0382d43e86a5087a5c908c3e33750c4031ec14389230f125b3d | Triage

Sharing

General

Target

30092024_0051_27092024_PROJECT DETAILS AND SPECIFICATIONS.gz
Size

73KB
Sample

240930-a7f44atapd
MD5

ace746c6398bb2c5aa45a66ae0628fac
SHA1

1eeca7d89bfc79b96a4a231a0e3eb79d8c432911
SHA256

98816956b52fb0382d43e86a5087a5c908c3e33750c4031ec14389230f125b3d
SHA512

81281d4ddef32afdaa8b8c3bd150b169e58a5770318a5d24da6ce6fcad56f8e0b6d8da6a7b540de21146c02ee0ce1ba557f1c72c9ef35096d5faf38d85ecf0ae
SSDEEP

1536:gdueuzBFOL3G3xmYxWcX85qu2+KVjGjV8Aflgn7o5/kQcKx4zn5SQ/:QueiBF4KxJ9u2+uWflgnk5Dcf75r

Score

10^/10

agenttesla discovery execution keylogger spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNote_J.txt

exe.dropper

https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNote_J.txt

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.detarcoopmedical.com
Port:
587
Username:
[email protected]
Password:
To$zL%?nhDHN
Email To:
[email protected]

Targets

- Target
  
  PROJECT DETAILS AND SPECIFICATIONS.js
- Size
  
  197KB
- MD5
  
  ef818b0f3b065744f9ca0e7e6463fa5a
- SHA1
  
  042ab0111d9be103d7558da8d5aacb86f7c91d22
- SHA256
  
  f599b75aff511ee47cf3e7ea69ff58ef8025f15340add9b7c01bc7baaaaf9503
- SHA512
  
  6d48fcd76d1db0fdb208c324139cdcca6e154508cfb783cd09dd51766f20177877ddeb1782180ac14631b5a7a373b1aa85ff512665369118178edb7a19c6f735
- SSDEEP
  
  6144:gzMNJy9Ha4Lp17+n4O9/8bTwNN4mEqtm4I3W4J:JNo93Lp17U4O9/8bTw/43qtm4eW4J
Score

10^/10

execution agenttesla discovery keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

agenttesladiscoveryexecutionkeyloggerspywarestealertrojan