agenttesla | 5cc56631849d2923294c1c5d898d9a8e7fa5865e64818fa883229c8608505e16 | Triage

Sharing

General

Target

5cc56631849d2923294c1c5d898d9a8e7fa5865e64818fa883229c8608505e16.z
Size

634KB
Sample

241003-bwst7axenp
MD5

06b094440669435905ae2a4b9d9ef868
SHA1

f18987361f358b9b95985341986c9b77a2402bf5
SHA256

5cc56631849d2923294c1c5d898d9a8e7fa5865e64818fa883229c8608505e16
SHA512

8e4cc3e7b42d195ba44fac7fa5a0558f64184a0e1f7199ca1e814d853776bd14bc3b10bc20faf684624918618f4e4076b9800c8f58cab1388346337df54240c7
SSDEEP

12288:Y3Nz5j4Zt4y1jQR3G24O2pglXmvasSp2NdNRa8cL:YVeZt3gMglWvaszNm

Score

10^/10

agenttesla discovery execution keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.fosna.net
Port:
21
Username:
[email protected]
Password:
(=8fPSH$KO_!

Extracted

Credentials

Protocol: ftp
Host:
ftp.fosna.net
Port:
21
Username:
[email protected]
Password:
(=8fPSH$KO_!

Targets

- Target
  
  5678909764.scr
- Size
  
  723KB
- MD5
  
  df30947662e982996810396f8998687c
- SHA1
  
  ab1cca67c1d71f95e516a21995d2965761bc6829
- SHA256
  
  9bcc5591013f066f47701388e95202aa53483c1b73321eecedafd30de2eb381e
- SHA512
  
  41e148f5bd8fe19754f6c676323a1b022c0e79d3be5c5de8b3fc030e2dedb46877e5ff792da2965fc8cfc701724ea914a61a80d43590e77421820d22bb484b9a
- SSDEEP
  
  12288:ZFw5wFD3n6UwXUTCBvvFfg6DUT0/PSnyUt9H+nruF39h9sAFJEyvQXDkR:ZF4K9wXKIvFfZRGyI9enr6H93bnQXW
Score

10^/10

agenttesla discovery execution keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Uses the VBS compiler for execution
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

behavioral2

agenttesladiscoveryexecutionkeyloggerspywarestealertrojan