agenttesla | 9bcc5591013f066f47701388e95202aa53483c1b73321eecedafd30de2eb381e | Triage

Sharing

General

Target

9bcc5591013f066f47701388e95202aa53483c1b73321eecedafd30de2eb381e.exe
Size

723KB
Sample

241002-bvrwhatgqg
MD5

df30947662e982996810396f8998687c
SHA1

ab1cca67c1d71f95e516a21995d2965761bc6829
SHA256

9bcc5591013f066f47701388e95202aa53483c1b73321eecedafd30de2eb381e
SHA512

41e148f5bd8fe19754f6c676323a1b022c0e79d3be5c5de8b3fc030e2dedb46877e5ff792da2965fc8cfc701724ea914a61a80d43590e77421820d22bb484b9a
SSDEEP

12288:ZFw5wFD3n6UwXUTCBvvFfg6DUT0/PSnyUt9H+nruF39h9sAFJEyvQXDkR:ZF4K9wXKIvFfZRGyI9enr6H93bnQXW

Score

10^/10

agenttesla discovery execution keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.fosna.net
Port:
21
Username:
[email protected]
Password:
(=8fPSH$KO_!

Extracted

Credentials

Protocol: ftp
Host:
ftp.fosna.net
Port:
21
Username:
[email protected]
Password:
(=8fPSH$KO_!

Targets

- Target
  
  9bcc5591013f066f47701388e95202aa53483c1b73321eecedafd30de2eb381e.exe
- Size
  
  723KB
- MD5
  
  df30947662e982996810396f8998687c
- SHA1
  
  ab1cca67c1d71f95e516a21995d2965761bc6829
- SHA256
  
  9bcc5591013f066f47701388e95202aa53483c1b73321eecedafd30de2eb381e
- SHA512
  
  41e148f5bd8fe19754f6c676323a1b022c0e79d3be5c5de8b3fc030e2dedb46877e5ff792da2965fc8cfc701724ea914a61a80d43590e77421820d22bb484b9a
- SSDEEP
  
  12288:ZFw5wFD3n6UwXUTCBvvFfg6DUT0/PSnyUt9H+nruF39h9sAFJEyvQXDkR:ZF4K9wXKIvFfZRGyI9enr6H93bnQXW
Score

10^/10

agenttesla discovery execution keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Uses the VBS compiler for execution
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

behavioral2

agenttesladiscoveryexecutionkeyloggerspywarestealertrojan