agenttesla | e99d17cd2b0e0e6f3094120940b3e0791de13701a8109ee472af9df0c8ae22b5 | Triage

Sharing

General

Target

e99d17cd2b0e0e6f3094120940b3e0791de13701a8109ee472af9df0c8ae22b5
Size

545KB
Sample

241124-bqnchsspfk
MD5

e3030ed0b414451cce720ed2d3fb2842
SHA1

3b2cb09283ae160e3564142ab81041bae5d5921a
SHA256

e99d17cd2b0e0e6f3094120940b3e0791de13701a8109ee472af9df0c8ae22b5
SHA512

49cc85ef16f9a39cf3e9b18c33142430a175a8b4c1cc5f4e84a6cc0efe4534a99790ec1523bf5b8533d698c9779006c7e5acc315bdbeedd7f9ebf92a9aa61e5f
SSDEEP

6144:+GxhLLUnIBpvRjxiOiPUjNLByLx+iGFV46g0ZJeg8mGlN+30SvwH+kNF:3TUITJxiJiNLkLKFV46pjGC30SvwHR

Score

10^/10

agenttesla collection credential_access discovery keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.diva-italia.com
Port:
587
Username:
[email protected]
Password:
rr.@%5LjgLz7

Targets

- Target
  
  e99d17cd2b0e0e6f3094120940b3e0791de13701a8109ee472af9df0c8ae22b5
- Size
  
  545KB
- MD5
  
  e3030ed0b414451cce720ed2d3fb2842
- SHA1
  
  3b2cb09283ae160e3564142ab81041bae5d5921a
- SHA256
  
  e99d17cd2b0e0e6f3094120940b3e0791de13701a8109ee472af9df0c8ae22b5
- SHA512
  
  49cc85ef16f9a39cf3e9b18c33142430a175a8b4c1cc5f4e84a6cc0efe4534a99790ec1523bf5b8533d698c9779006c7e5acc315bdbeedd7f9ebf92a9aa61e5f
- SSDEEP
  
  6144:+GxhLLUnIBpvRjxiOiPUjNLByLx+iGFV46g0ZJeg8mGlN+30SvwH+kNF:3TUITJxiJiNLkLKFV46pjGC30SvwHR
Score

10^/10

agenttesla collection credential_access discovery keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- AgentTesla payload
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslacollectioncredential_accessdiscoverykeyloggerpersistencespywarestealertrojan

behavioral2

agentteslacollectioncredential_accessdiscoverykeyloggerpersistencespywarestealertrojan