agenttesla | c3cd0879f2fd7d6329b64dce87249fd717145625e60bce03eb67f9ee2c8a10db | Triage

Sharing

General

Target

inquiry.vbs
Size

94KB
Sample

241001-xbchcsyblh
MD5

5244eee364836dc693025ecf574f394d
SHA1

2e9dcc09dcae233d7bd7507a3685fd67e9d9c158
SHA256

c3cd0879f2fd7d6329b64dce87249fd717145625e60bce03eb67f9ee2c8a10db
SHA512

f29ace7bc68fa083606e6f0be5f697d92ec93fd936a85cc8bf6ce4511741b0e9d921cf92dfcd11ecf2de28bbde49e651c234db3d6c3a22baefacad7d09ff1585
SSDEEP

1536:SpAqmnwlpbjrWic4dYWN3xHEQPplcJGH8O+iPG707Q/gsUogUwnZI3:SpAqCwlpbjrHFYWBxHEQdcpiE07Q/gsj

Score

10^/10

agenttesla discovery execution keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
marcellinus360
Email To:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
marcellinus360

Targets

- Target
  
  inquiry.vbs
- Size
  
  94KB
- MD5
  
  5244eee364836dc693025ecf574f394d
- SHA1
  
  2e9dcc09dcae233d7bd7507a3685fd67e9d9c158
- SHA256
  
  c3cd0879f2fd7d6329b64dce87249fd717145625e60bce03eb67f9ee2c8a10db
- SHA512
  
  f29ace7bc68fa083606e6f0be5f697d92ec93fd936a85cc8bf6ce4511741b0e9d921cf92dfcd11ecf2de28bbde49e651c234db3d6c3a22baefacad7d09ff1585
- SSDEEP
  
  1536:SpAqmnwlpbjrWic4dYWN3xHEQPplcJGH8O+iPG707Q/gsUogUwnZI3:SpAqCwlpbjrHFYWBxHEQdcpiE07Q/gsj
Score

10^/10

agenttesla discovery execution keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

behavioral2

agenttesladiscoveryexecutionkeyloggerspywarestealertrojan