agenttesla | 8906d935345492816ccfc993df85b2fb7d37519247aa063126f8b93e577090d0 | Triage

Sharing

General

Target

Purchase Order.js
Size

133KB
Sample

241015-hzx2ms1eqf
MD5

8f4dc9bb5911379994ef0cadf2953e0d
SHA1

456a8ba07ceab3066f9fd12f73d4f5da34549e50
SHA256

8906d935345492816ccfc993df85b2fb7d37519247aa063126f8b93e577090d0
SHA512

8a83e2be903573e7cb04031ed13297c1a1c9f65f32b6dacace36c52e9b818cf5536cc23d067c873f390a37da5c69a830b4d42aa4314d119d548008d77b29aa0b
SSDEEP

3072:gW5Bbi9oLFzWuLD1dsW66/Y9tTCFzxW5Bbi9oLFzWuLDn:+9opzWwD1mOGJCFzh9opzWwDn

Score

10^/10

agenttesla discovery execution keylogger spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_J.jpg%20

exe.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_J.jpg%20

Extracted

Credentials

Protocol: smtp
Host:
mail.detarcoopmedical.com
Port:
587
Username:
[email protected]
Password:
To$zL%?nhDHN

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.detarcoopmedical.com
Port:
587
Username:
[email protected]
Password:
To$zL%?nhDHN
Email To:
[email protected]

Targets

- Target
  
  Purchase Order.js
- Size
  
  133KB
- MD5
  
  8f4dc9bb5911379994ef0cadf2953e0d
- SHA1
  
  456a8ba07ceab3066f9fd12f73d4f5da34549e50
- SHA256
  
  8906d935345492816ccfc993df85b2fb7d37519247aa063126f8b93e577090d0
- SHA512
  
  8a83e2be903573e7cb04031ed13297c1a1c9f65f32b6dacace36c52e9b818cf5536cc23d067c873f390a37da5c69a830b4d42aa4314d119d548008d77b29aa0b
- SSDEEP
  
  3072:gW5Bbi9oLFzWuLD1dsW66/Y9tTCFzxW5Bbi9oLFzWuLDn:+9opzWwD1mOGJCFzh9opzWwDn
Score

10^/10

execution agenttesla discovery keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

agenttesladiscoveryexecutionkeyloggerspywarestealertrojan