agenttesla | c35922ffe621f1719e7346a3fa7ba779766c44481ed2ad785782cc7bf693376c | Triage

Sharing

General

Target

Request For Quotation.js
Size

131KB
Sample

241007-fxkx7a1hlh
MD5

55f3ba85c0e1546b907ec0f2465f6bac
SHA1

59c6d5157b6cb30040f0226599c99f07c361f822
SHA256

c35922ffe621f1719e7346a3fa7ba779766c44481ed2ad785782cc7bf693376c
SHA512

478496891e630b260802e97f20132adf1b06b22f35b059e9f9176e6e5f777d63184b45c32efbf4981f53f02ecff31640e84661164a90d550a1d061e1edde3d1b
SSDEEP

3072:/N+oukZXE8KRI4V1AulQkcunvyhLZm2MKIvgzJJY6N+oukZXE8KRI4V1AulQkcuz:/xukZ08baeulQ/uni/M5vgzXY6xukZ07

Score

10^/10

agenttesla discovery execution keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.detarcoopmedical.com
Port:
587
Username:
[email protected]
Password:
To$zL%?nhDHN

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.detarcoopmedical.com
Port:
587
Username:
[email protected]
Password:
To$zL%?nhDHN
Email To:
[email protected]

Targets

- Target
  
  Request For Quotation.js
- Size
  
  131KB
- MD5
  
  55f3ba85c0e1546b907ec0f2465f6bac
- SHA1
  
  59c6d5157b6cb30040f0226599c99f07c361f822
- SHA256
  
  c35922ffe621f1719e7346a3fa7ba779766c44481ed2ad785782cc7bf693376c
- SHA512
  
  478496891e630b260802e97f20132adf1b06b22f35b059e9f9176e6e5f777d63184b45c32efbf4981f53f02ecff31640e84661164a90d550a1d061e1edde3d1b
- SSDEEP
  
  3072:/N+oukZXE8KRI4V1AulQkcunvyhLZm2MKIvgzJJY6N+oukZXE8KRI4V1AulQkcuz:/xukZ08baeulQ/uni/M5vgzXY6xukZ07
Score

10^/10

execution agenttesla discovery keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

agenttesladiscoveryexecutionkeyloggerspywarestealertrojan