agenttesla | 74f7d9b0cf97bf3d2e6bd9e5a3b3018153cec3955a1c8ce7c5f5c62d4ff1719c | Triage

Sharing

General

Target

74f7d9b0cf97bf3d2e6bd9e5a3b3018153cec3955a1c8ce7c5f5c62d4ff1719c
Size

43KB
Sample

241014-x1t4ps1hra
MD5

dbca7f0d7e1073b7225692a547099b5d
SHA1

960c43a213bb3dc94a7ea6e19be4f4672f25076a
SHA256

74f7d9b0cf97bf3d2e6bd9e5a3b3018153cec3955a1c8ce7c5f5c62d4ff1719c
SHA512

f82c180e75d1a218c004353db903d4f4cebf8fda3c9a2a271bc6591493a29171825d3e4830938fa97d1db38ecc807aae50e2ca644acbb1e82b82d26ae5fa9ce6
SSDEEP

768:xOsV9gIubA9jrpstfGcjJEerHRlifYe9ViYcA2lH5iQA/vtKn86ytBTrENh8Vbf:xN9gerakcFFljsViYcA2VQQA/vtyVytH

Score

10^/10

agenttesla discovery execution keylogger spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_J.jpg%20

exe.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_J.jpg%20

Extracted

Credentials

Protocol: smtp
Host:
mail.detarcoopmedical.com
Port:
587
Username:
[email protected]
Password:
To$zL%?nhDHN

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.detarcoopmedical.com
Port:
587
Username:
[email protected]
Password:
To$zL%?nhDHN
Email To:
[email protected]

Targets

- Target
  
  Purchase Order.js
- Size
  
  133KB
- MD5
  
  8f4dc9bb5911379994ef0cadf2953e0d
- SHA1
  
  456a8ba07ceab3066f9fd12f73d4f5da34549e50
- SHA256
  
  8906d935345492816ccfc993df85b2fb7d37519247aa063126f8b93e577090d0
- SHA512
  
  8a83e2be903573e7cb04031ed13297c1a1c9f65f32b6dacace36c52e9b818cf5536cc23d067c873f390a37da5c69a830b4d42aa4314d119d548008d77b29aa0b
- SSDEEP
  
  3072:gW5Bbi9oLFzWuLD1dsW66/Y9tTCFzxW5Bbi9oLFzWuLDn:+9opzWwD1mOGJCFzh9opzWwDn
Score

10^/10

execution agenttesla discovery keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

agenttesladiscoveryexecutionkeyloggerspywarestealertrojan