agenttesla | 7fa215859d4c84ba5748f36ae48edabacfa3007f0bd48d43c11a0c3aaa3e542c | Triage

Sharing

General

Target

6a48228565ed733cd60056d99cff8a6b.bin
Size

30KB
Sample

241024-btsreazhlm
MD5

ab26f5bc5b877077d7f538af222f3205
SHA1

4b189a4463e4e4505b6e708e6265b2342075ce61
SHA256

7fa215859d4c84ba5748f36ae48edabacfa3007f0bd48d43c11a0c3aaa3e542c
SHA512

186a7828e4edc22eca4ce9b89e0bc2ddb540444b4551a539f5c71cb99949e84684bc4033a29231bdcf6537eb87699bde23d6a594e76793c1fcea8cdea4448e62
SSDEEP

768:i8RKtiLyEMhefOl0JNCa5SSOFMRHCeSqrjrj:Tqk+luNCPfF2Hu2

Score

10^/10

agenttesla discovery execution keylogger spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.fosna.net
Port:
21
Username:
[email protected]
Password:
=A+N^@~c]~#I

Targets

- Target
  
  d9ac7c9de98bcda1ccf6bc34b29c9a7484baa21494eef52f1ae781934e617b3f.vbs
- Size
  
  136KB
- MD5
  
  6a48228565ed733cd60056d99cff8a6b
- SHA1
  
  e9b69eb11d2a9c6eab1a1429201ccebc92b9fef3
- SHA256
  
  d9ac7c9de98bcda1ccf6bc34b29c9a7484baa21494eef52f1ae781934e617b3f
- SHA512
  
  d3387d9f844ade99dabfc6b0bb93a8f38a89c85ecaed21a7e75a74cccf81c721134be9e345a9eb251bca5ec464a7a7651396fc7fb0e9a3612bf9fca310572d62
- SSDEEP
  
  3072:CaTCgt5pKGw018Ywypkdf2IULVnKQ4eC5kA:t3adfbYdKQhK7
Score

10^/10

execution agenttesla discovery keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

agenttesladiscoveryexecutionkeyloggerspywarestealertrojan