agenttesla | 1f4bd1189444edf896aa872c12f47f614a17566da7eeebf09259f6ee10e9b320 | Triage

Sharing

General

Target

1f4bd1189444edf896aa872c12f47f614a17566da7eeebf09259f6ee10e9b320
Size

698KB
Sample

241121-bhpwdaxhrj
MD5

41a0e3647dfab9816d15ebf070e75849
SHA1

f28320098d288e1a8578861e8c715372a36a0390
SHA256

1f4bd1189444edf896aa872c12f47f614a17566da7eeebf09259f6ee10e9b320
SHA512

4fb790e14d64412ca59b1dd7556d4ca8a66a677fbec706fb106e80464e459597161b91b32ff5513426caa867d0b1592d83535f3397dfd4b517c4c4f7850635fb
SSDEEP

12288:YyAgFdVoC/HeIMOBkXKxh3IfDj3oSPYzeyu0Lu/bs1D0bWCiYNR/WBS9vD:FAgVoC/HemBNheP3Xg6yTLug0WC7ROB0

Score

10^/10

agenttesla discovery execution keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
marcellinus360

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
marcellinus360
Email To:
[email protected]

Targets

- Target
  
  datasheet.exe
- Size
  
  636KB
- MD5
  
  4c7e7bd9eaf56b3936be87a6904f70f8
- SHA1
  
  22591d29813790d622a1d49a1e0bf91b20235cf6
- SHA256
  
  429e0fa9706ee65774188e538bda0b69a15fb93e97864cedb88e33c650ed9538
- SHA512
  
  108e542f79d97dcb73490acd04718a56adda3d000e844ad71f0721b3b12d2a06ccb9b28a00e0d2443f2bb5c680617e316ce4a84c98a5e8f4f29ade1ff9c0be70
- SSDEEP
  
  12288:NyAgFdVoC/HeIMOBkXKxh3IfDj3oSPYzeyu0Lu/bs1D0bWCiYNR/WBS9vD:wAgVoC/HemBNheP3Xg6yTLug0WC7ROB0
Score

10^/10

agenttesla discovery execution keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

behavioral2

agenttesladiscoveryexecutionkeyloggerspywarestealertrojan