agenttesla

Sharing

Copy URL

Twitter E-mail

General

Target

26x2024-07-02.zip
Size

7.8MB
Sample

241130-swdtpsxlfy
MD5

976318d36e8fa4d8e5990ef40d3c1859
SHA1

8e10152ccc92eb9acd0115a4145b1fa620fb79e5
SHA256

208a58c11df2608ba40daf453a31ddd82230357077397f3b2f1a7645e881b232
SHA512

36de0ae79b8713eefa4be4b029c50a1e1a840fa49ea07cb37129e187f9d76d5e33f3654cc8859201cc005a17fb600edfc213a1fd6fb43b0af70f8373e15c77a7
SSDEEP

196608:1GHb9vDVWLkPslxDld6A92jJ9PzeWQhHQ8wd+tszA0A4Mk1SB0R+RdP:sJbVyDlxxE22jLswd+qA0nxSKy1

Score

10^/10

Malware Config

Extracted

Family

snakekeylogger

https://api.telegram.org/bot7049924735:AAGvjcq8A7Onlbh1XDN_9YUW9tENxnyOWZ4/sendMessage?chat_id=5144477649

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.laboratoriosvilla.com.mx
Port:
587
Username:
[email protected]
Password:
WZ,2pliw#L)D
Email To:
[email protected]

Targets

- Target
  
  0702/30.exe
- Size
  
  24KB
- MD5
  
  566705afeb33d5a977708328cda48f1c
- SHA1
  
  582441d0aca8c9217bdaa3526cbec9f377bb0555
- SHA256
  
  ce5c39f359a043c19eaee84bb1371c0e6cb9b72ee452d3748c00a8758d52d27f
- SHA512
  
  de40a1d3eb1598f8c69a510bd0360bb59db6aaff2beb10ab326849d026d57c4f6071e8dbb37ac68bd5fc5c6f487d7ca91f32973a9624f87761e664e63bb01f04
- SSDEEP
  
  384:HQaJctWL1LAqwgB/7d6aJZSacu53MYlip:HQJWL1LAqwgB/7d6aJZR5di
Score

3^/10

discovery
behavioral1 behavioral2
- Target
  
  0702/710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr
- Size
  
  1.0MB
- MD5
  
  4ee08be6bfe40c3fb09e904c35299000
- SHA1
  
  9d8e0ebbaaa3598ed03f231267103f24f6c0dd85
- SHA256
  
  e38d2d9b8b63dc2163897bfa2a8401a57483d39d0dace276f360be62cd938852
- SHA512
  
  ff031c9ec83430d6adc5bfb615021db20ac6494c86e70ad7bb9cc187464f73d9617d7c42182c9a553d694f8242d774db2e3bb7a7de019ec7ad9ddb535ac448d5
- SSDEEP
  
  24576:9prMbKEzp1gOF4gG2Xiou9TBeWyKvBeIcnsjjX:9IDtGTBXyKv8Ls
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  0702/DHL AWB COMMERCAIL INVOICE AND TRACKNG DETAILS.exe
- Size
  
  1.0MB
- MD5
  
  ff7faf303374e2122f202119d2589943
- SHA1
  
  ddcf68d2e3ab75b97fda50dade1cfd9a94cd56ff
- SHA256
  
  411306e63dfc6d07f24c7af59ba1b0ad39825694ad8c34453edc34d0855e3c1b
- SHA512
  
  bd39c26222a433046bc8aa3dcf97412a2e97edc901d5b74523dc5410ea73ff9f748910b7e6c6724ed85ff974d0c4bee1a105ed7896fc4be552d9ee01a216bc23
- SSDEEP
  
  24576:TAHnh+eWsN3skA4RV1Hom2KXMmHaIpNxWj5:eh+ZkldoPK8YaIHxC
Score

10^/10

agenttesla discovery keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  0702/FedEx Receipt_53065724643.xls
- Size
  
  711KB
- MD5
  
  4bb5a21106d460a7e9f63d44e47359cc
- SHA1
  
  bb87ff08d79ebb57f97f97407db083bb13bb580d
- SHA256
  
  adf19fed5bdfe80fc084a7ff1ad2ba59dc986dfe5b7dd7d2864c129bce51c0a0
- SHA512
  
  6baaaaf5bab117ff4a0082b76be23540201f6ca8dc98f95fea4e0092bd63e484259c9e08defb3da30c21258cf9965cb159d1e1c59f25aa14d6b32f4c79ab9c3b
- SSDEEP
  
  12288:ouyqFzu4L0KJnQD6NCLQDhmuePiiPLDyjXCwkhHiOGhz1gRoiskBSP6wm3Wz67WR:oizu4L0K86NCsDhmuePfL59Igmi5Tg6O
Score

3^/10

discovery
behavioral7 behavioral8
- Target
  
  0702/ISOTRAILER Trailer Sheets Inquiry.scr
- Size
  
  292KB
- MD5
  
  ce05993fed6f872699bff7205676aeb1
- SHA1
  
  6f933c822762c940d29615380d985d5570b2a99c
- SHA256
  
  2a153cf2c0eb9b4d2d28b163f9782efca60836088efa2ed221074e15f93ad65e
- SHA512
  
  2934a05ff52abebdcea35e015d8e4991af36fb0add8466c396b707fd8b672d078699b6de794e267883843eecffd327987e568719cbb2f9e28e9afb119f774f70
- SSDEEP
  
  3072:/Zke2uhsBRpY5YgMbuBAYG8hVGJGmN5cqy+SctLpZAysRafbPrUOi9r/bnXRTikQ:RkOCPUbGUVGrN5j58ysRGbDQ9HnhOk8
Score

3^/10

discovery
behavioral10 behavioral9
- Target
  
  0702/KWOTASIE.exe
- Size
  
  959KB
- MD5
  
  ecbec21dcfa39a1131d2a79acdf73f88
- SHA1
  
  6b9366674e34118ec2881ab8d0ae5a5f5077a44d
- SHA256
  
  ca595e27f24e0fc84bd5627ec36baae36bcc24018e638ed2ec7c7a6b1fe7b653
- SHA512
  
  5158aa940a2779ef4fbb4874fbef55135754c33d3370f0c3f807c082dc268a63eab099f03b8b855a65bf41dd3cf683b8284b728719e6935835aa7920a5aa6b9c
- SSDEEP
  
  24576:tzBRHciaGiPc8t11WID3jCJO30866tZPIJIRP6n:rRHciaGiL1MU2k3KSAJT
Score

8^/10

discovery execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral11 behavioral12
- Target
  
  0702/Maersk_BL_Invoice_Packinglist.vbs
- Size
  
  26KB
- MD5
  
  43fe0e9069047cb153a3e86508d5a6ca
- SHA1
  
  bb5431130b0b3441b9eda1e54bad3f56eb49f04c
- SHA256
  
  bcd66ce1c9d8d1123249ef8240a6e7ef32662aaa897845e866627ee69b28dff1
- SHA512
  
  6816a9e7626d87afe7211780e6d3312e21400c165f4160149ad57bab61c504458fe133adf8d6467724fa2b148c2d762e4203b4b6d2e0630ad2f109c460827571
- SSDEEP
  
  384:HlzV6m2So022lGP9V6+s0flKJpl/5ZrE5HVnS0Re7PIx+5lEPmgww779O7LWJRMv:FzSR022X/523S0e8xPPmE9VIFj3W+N
Score

8^/10

execution
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
behavioral13 behavioral14
- Target
  
  0702/MpClient.dll
- Size
  
  1.9MB
- MD5
  
  12a6c8267111ee5c57bfbef36244188f
- SHA1
  
  9bbd9705b24bdcb81a5d91489d7c2600271984c0
- SHA256
  
  00e0fe1229850e182f0b32dc45c1c6515694b655e8d39d9777beb35e30bf4f20
- SHA512
  
  10bc254c0f38b235b847c23359ef2b55d990ef6500d7df56fe0b9aa8a2cf52f9975160f459e9b17b251acda17709c29f37d6292b4ca76d745877de49608c2bc5
- SSDEEP
  
  49152:o5EqpGZhICdou7BlVddbR9EaVPPQAYnZoEyp1sDB:Qno30y
Score

7^/10
- Drops startup file
behavioral15 behavioral16
- Target
  
  0702/ORDER-7019-2024.js
- Size
  
  7KB
- MD5
  
  134bbcb99ed7dafbfb86cd606142520f
- SHA1
  
  99b1c91c598f24b56f8d0a4e1d2302a66ff8619a
- SHA256
  
  0754f739104fefc71e7890e97fae82d2e2f9581cbc4f01e4cc4ce9d89f2b4cdc
- SHA512
  
  67e33b042a23ab0e7261e5c3e6b821d83805e35e26c0543f16d58d3ea0cc7c0c6d9ec43935250bdfa8804e2ae9caf9d5baaedb1fa1607fa1d22c2d5db163fc18
- SSDEEP
  
  192:Wam3721AN32GqdDzA2cC3QOMEOCZBOGRO3M217:2
Score

8^/10

execution
- Blocklisted process makes network request
behavioral17 behavioral18
- Target
  
  0702/PETUNJUK-PENGISIAN DAN PENGIRIMAN KONFIRMASI EDITED-xlsx.scr
- Size
  
  610KB
- MD5
  
  fe67d87f3efefadb38a76aca77820504
- SHA1
  
  08c9f9f3c9be5b3fb9fbe6dfc3b6875323c3a4ad
- SHA256
  
  b740d4c07f1bfd42085caf8c5df442634f5415bcaffe2050c52a0f3379a5f03f
- SHA512
  
  b19a43da549d0234b1aedc718eef6781d9f5fe7d06eb41fdb0a19b9d35c7627f660b9c956e2411fe94fe5d97ab7c273ef83ecc168c1ae1d28d683433e14414da
- SSDEEP
  
  12288:xOaEg1tQwjJ3pOpHY2/KCnmJMh9NbMAs0Dmf5a93CjUlNqph:xpPtQwj7OhmJMh7b1siSKsU3y
Score

10^/10

snakekeylogger keylogger stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Snakekeylogger family
  snakekeylogger
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral19 behavioral20
- Target
  
  0702/PO-24701248890.js
- Size
  
  7KB
- MD5
  
  54ea1f4f2737e111ffbcc03808dfec31
- SHA1
  
  7027bd0207b975128d688916230ec4f8900b2bd6
- SHA256
  
  beca565451640f739d3c8771861c838417837e7169d73af86cc3780dbd099be2
- SHA512
  
  fb9cabdcd57e7f70aef201d29bd922c615714ee40c21bc4697691ac01e8ac4b4959719436199054068abe7ceccbd22adb1c2eb0cd86ce8f768dcf637a2607b3a
- SSDEEP
  
  96:qdXsINLKzIXYD4uVaX3X8+eaePEQSX/4KGa:la
Score

8^/10

execution
- Blocklisted process makes network request
behavioral21 behavioral22
- Target
  
  0702/Payment Confirmation (1).vbs
- Size
  
  28KB
- MD5
  
  f72a6162ebf2a0efc89edbbff12cf158
- SHA1
  
  89d7535775bac5a07d9ae7e76e9b397541c0265b
- SHA256
  
  12c916ad80fea271f8d47a0277ce8a8c2090c428adcf2ec538f9f6b6e6d91aea
- SHA512
  
  fa906e47822bdeb66e2a46bb3c399e1fad465741b42a21218c3426a23c99ca65f5d48b4847c1a634c9bd660b2003e2d39eb7ddc5b90f2055a6ae36f904be1acc
- SSDEEP
  
  384:CVRg/BATSpM+Z2AsC7LnCTyHbrF9MEAJIfP3Od85Gmg:Kg5ATSpMsnBnnCTkbrF+43M8Pg
Score

8^/10

discovery execution
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
behavioral23 behavioral24
- Target
  
  0702/Payment_Confirmation_Receipts.vbs
- Size
  
  26KB
- MD5
  
  a374d1c2025292c43a4a717292441c1f
- SHA1
  
  a240c65ec043d5f745fc5a79a4e2c7059b2c9caa
- SHA256
  
  7d22fe443fda8fe46e84c8a0355ade3c03e506a016432a942345311f9862981d
- SHA512
  
  9e16aca8d2453c06e184d40f87b3477b96d2e2c1e59ce4c979a506ac7e9e7b4e15f3bb2de9df105e9b6445dbe1b8a4eb2344c5ad608998204b9603c9eb2b819a
- SSDEEP
  
  384:+lzV6m2So022lGP9V6+s0flKJpl/5ZrE5HVnS0Re7PIx+5lEPmgww0Dsol9FWZkM:mzSR022X/523S0e8xPPmXsKFWZUaGM
Score

8^/10

execution
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
behavioral25 behavioral26
- Target
  
  0702/QUOTATION_JULQTRA071244úPDF.scr
- Size
  
  337KB
- MD5
  
  2756768c9b94948e6ac6877fd26178e3
- SHA1
  
  30f772fdfdb5a1567d37c9a998f82939d60b6667
- SHA256
  
  b75793ac0d57482cfb4abf41303bc240bb13a089b4b048c0d5ff36f3a19cdc7a
- SHA512
  
  27bcd7ea9b9869f06c8475ebf0c30c1afa34448208cc1fb762d9d7728652f91ea922cf1c5c1f47548e9b2fe1de6c410dd5f82601b2190ceba21e63b83cd5b8df
- SSDEEP
  
  768:JYimXjjjjjjjjjjjjjJp1uHQe21zEjss2S3g1Ircn0sspAgpq8bLyg1uMN0+dzsn:JYi4gQbk/pqELy0uyT+fX
Score

3^/10

discovery
behavioral27 behavioral28
- Target
  
  0702/RFQ QUG24-200370054200.exe
- Size
  
  757KB
- MD5
  
  ed70a075210d9da38a37aa545249aa1c
- SHA1
  
  fa086fb0272c1f7dade911fdcde53f9b6f0793cd
- SHA256
  
  7ba53ac52055ef736c19a4044688aef3cfe81c545ac34aa2b5bba2214a931363
- SHA512
  
  7f811411f853af4dde1efd12744d9fc87268eca5450de6d414c4ea3b48ccf83de1c0bfbfac675aaaeee7315d654ce99e6bcc224a73ba3863a1d51b821af65dc7
- SSDEEP
  
  12288:RuEg1tQwjJTseCai5d7PC/dyPoHFk2VsVVKftyuGbz//DIsKCAQ4Gzv/VOUM/U:UPtQwj5seCXPPC/QAlWbK5i//Ms9AQ4L
Score

5^/10
- Suspicious use of SetThreadContext
behavioral29 behavioral30
- Target
  
  0702/Revised Invoice 7389293.vbs
- Size
  
  26KB
- MD5
  
  ed86258f8c9db682ae810896c67d498c
- SHA1
  
  e182aef5ecacc6bec36e9bc2bb255436b9dae698
- SHA256
  
  64c701bc7d32900bf11e8f5dd9bed584d350a949c467f5fd6643e8cd7f902fcd
- SHA512
  
  b90e69ed8c473994472b813ef68c45d91e4c46485227f109d400a8b7d4ebfe425abc585387ed61f9e51fd00fd6cdca16f9bf4bf1800082d9cebc8d650429822a
- SSDEEP
  
  384:PlzV6m2So022lGP9V6+s0flKJpl/5ZrE5HVnS0Re7PIx+5lEPmgwwCjnvhTT1EFw:9zSR022X/523S0e8xPPmVvJr08hpouGs
Score

8^/10

execution
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Agenttesla family

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Command and Scripting Interpreter: PowerShell

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Blocklisted process makes network request

Checks computer location settings

Command and Scripting Interpreter: PowerShell

Drops startup file

Blocklisted process makes network request

Snake Keylogger

Snake Keylogger payload

Snakekeylogger family

Checks computer location settings

Deletes itself

Looks up external IP address via web service

Suspicious use of SetThreadContext

Blocklisted process makes network request

Blocklisted process makes network request

Checks computer location settings

Command and Scripting Interpreter: PowerShell

Network Service Discovery

Blocklisted process makes network request

Checks computer location settings

Command and Scripting Interpreter: PowerShell

Suspicious use of SetThreadContext

Blocklisted process makes network request

Checks computer location settings

Command and Scripting Interpreter: PowerShell

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32