agenttesla | 914593c3a4ec4f8b63537ea8bc08079cdace1b6ddcff95d1ede0b49eb11da709 | Triage

Sharing

General

Target

914593c3a4ec4f8b63537ea8bc08079cdace1b6ddcff95d1ede0b49eb11da709.exe
Size

781KB
Sample

241017-cd5xgazcrl
MD5

b18d405d583c06c41cce7f63c78a802a
SHA1

28b19058141d53c08948af6b89fd6409b3924ad5
SHA256

914593c3a4ec4f8b63537ea8bc08079cdace1b6ddcff95d1ede0b49eb11da709
SHA512

58f65689fb2a58da9a359a5d38b7640857001b546b798c48f7c189b35b87bc6e159cbebf9a54c3e3ffca0eb6362f6be7ae05a65108ef5299e6553e201f24f10d
SSDEEP

12288:EtmU+gdBSt4tnO5N3KSekX08rVU8t5xWonVp4g0Cla+ve7bAvANa24jV:Et1+GO5Z3XTr5xWoV90sjvzE1

Score

10^/10

agenttesla discovery execution keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
nhpe dfhf irbv bqxe

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
nhpe dfhf irbv bqxe
Email To:
[email protected]

Targets

- Target
  
  914593c3a4ec4f8b63537ea8bc08079cdace1b6ddcff95d1ede0b49eb11da709.exe
- Size
  
  781KB
- MD5
  
  b18d405d583c06c41cce7f63c78a802a
- SHA1
  
  28b19058141d53c08948af6b89fd6409b3924ad5
- SHA256
  
  914593c3a4ec4f8b63537ea8bc08079cdace1b6ddcff95d1ede0b49eb11da709
- SHA512
  
  58f65689fb2a58da9a359a5d38b7640857001b546b798c48f7c189b35b87bc6e159cbebf9a54c3e3ffca0eb6362f6be7ae05a65108ef5299e6553e201f24f10d
- SSDEEP
  
  12288:EtmU+gdBSt4tnO5N3KSekX08rVU8t5xWonVp4g0Cla+ve7bAvANa24jV:Et1+GO5Z3XTr5xWoV90sjvzE1
Score

10^/10

discovery execution agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Blocklisted process makes network request
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

agenttesladiscoveryexecutionkeyloggerspywarestealertrojan