agenttesla | b3e39db3b2ee5694d8a744f7bf2b4e8f6bfda9ef25efac108944121aa1adca29 | Triage

Sharing

General

Target

b3e39db3b2ee5694d8a744f7bf2b4e8f6bfda9ef25efac108944121aa1adca29
Size

14KB
Sample

241017-bxp5pavdnc
MD5

8da826028e4419bbd91161bac9d14a81
SHA1

32ccd920374f472022a37b9498067727e70145bf
SHA256

b3e39db3b2ee5694d8a744f7bf2b4e8f6bfda9ef25efac108944121aa1adca29
SHA512

2ccbb6c77b0ed8d516058d1487ea5f595665bc551f5dc5bb07b3b0ae5b659766b368619b1e9b5ff7a24fe20406ac1731a6057da005231379a77feee0dc44d8f4
SSDEEP

384:/tibRuAClkq8u/jkfXh5TZAaCvPEVZLUWvZd4h:MbwAClkq8PPj1w2ZLdoh

Score

10^/10

agenttesla discovery execution keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
marcellinus360

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
marcellinus360
Email To:
[email protected]

Targets

- Target
  
  b3e39db3b2ee5694d8a744f7bf2b4e8f6bfda9ef25efac108944121aa1adca29
- Size
  
  14KB
- MD5
  
  8da826028e4419bbd91161bac9d14a81
- SHA1
  
  32ccd920374f472022a37b9498067727e70145bf
- SHA256
  
  b3e39db3b2ee5694d8a744f7bf2b4e8f6bfda9ef25efac108944121aa1adca29
- SHA512
  
  2ccbb6c77b0ed8d516058d1487ea5f595665bc551f5dc5bb07b3b0ae5b659766b368619b1e9b5ff7a24fe20406ac1731a6057da005231379a77feee0dc44d8f4
- SSDEEP
  
  384:/tibRuAClkq8u/jkfXh5TZAaCvPEVZLUWvZd4h:MbwAClkq8PPj1w2ZLdoh
Score

10^/10

discovery execution agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

agenttesladiscoveryexecutionkeyloggerspywarestealertrojan