agenttesla | d9ac7c9de98bcda1ccf6bc34b29c9a7484baa21494eef52f1ae781934e617b3f | Triage

Sharing

General

Target

d9ac7c9de98bcda1ccf6bc34b29c9a7484baa21494eef52f1ae781934e617b3f.vbs
Size

136KB
Sample

241023-cazahswale
MD5

6a48228565ed733cd60056d99cff8a6b
SHA1

e9b69eb11d2a9c6eab1a1429201ccebc92b9fef3
SHA256

d9ac7c9de98bcda1ccf6bc34b29c9a7484baa21494eef52f1ae781934e617b3f
SHA512

d3387d9f844ade99dabfc6b0bb93a8f38a89c85ecaed21a7e75a74cccf81c721134be9e345a9eb251bca5ec464a7a7651396fc7fb0e9a3612bf9fca310572d62
SSDEEP

3072:CaTCgt5pKGw018Ywypkdf2IULVnKQ4eC5kA:t3adfbYdKQhK7

Score

10^/10

agenttesla discovery execution keylogger spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.fosna.net
Port:
21
Username:
[email protected]
Password:
=A+N^@~c]~#I

Targets

- Target
  
  d9ac7c9de98bcda1ccf6bc34b29c9a7484baa21494eef52f1ae781934e617b3f.vbs
- Size
  
  136KB
- MD5
  
  6a48228565ed733cd60056d99cff8a6b
- SHA1
  
  e9b69eb11d2a9c6eab1a1429201ccebc92b9fef3
- SHA256
  
  d9ac7c9de98bcda1ccf6bc34b29c9a7484baa21494eef52f1ae781934e617b3f
- SHA512
  
  d3387d9f844ade99dabfc6b0bb93a8f38a89c85ecaed21a7e75a74cccf81c721134be9e345a9eb251bca5ec464a7a7651396fc7fb0e9a3612bf9fca310572d62
- SSDEEP
  
  3072:CaTCgt5pKGw018Ywypkdf2IULVnKQ4eC5kA:t3adfbYdKQhK7
Score

10^/10

execution agenttesla discovery keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

agenttesladiscoveryexecutionkeyloggerspywarestealertrojan