agenttesla | 7ca1df4dbbeec2613da7d3761e7809633626a4112325c7cc36a7091963f8e0d3 | Triage

Sharing

General

Target

11122024_0638_Company-profile-of-VCR-ORDER#63729.xlsx.vbs.gz
Size

56KB
Sample

241211-heflvs1ncz
MD5

1f4dd96e738bd2de17fc90d03a90cd5e
SHA1

0e99372037bfbfb89a94d538c2d745ab0ada5f5c
SHA256

7ca1df4dbbeec2613da7d3761e7809633626a4112325c7cc36a7091963f8e0d3
SHA512

2109a26653341d9db79d373fbd8c00608037e5209623d02eec9c0d7c4bef0752a5526b48171d5155ec60873e1afc045fef242872f8a78ebd416b7b23c92a2ea6
SSDEEP

1536:UXYnjmkj19JlKRJv9o/1AIUZwyPapBa7ENVXzwhGMsQp2:gYjmkplKRJFK1A3Zw9pBZDwg

Score

10^/10

agenttesla collection discovery execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg%20

exe.dropper

https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg%20

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6050556352:AAE_-mublQ2CllMbT9xkQVBjSBbdvdYR1kM/

Targets

- Target
  
  Company-profile-of-VCR-ORDER#63729.xlsx.vbs
- Size
  
  152KB
- MD5
  
  41cf7825cf77ddf8fb888749b7b6547f
- SHA1
  
  b89fc1ab3e8df2bc33e8aae8f1bf6a82b1788705
- SHA256
  
  9a9e5c97bca11cc8a54c61b20e4dbb5ed1dc77f9327e0e27c8bf1e86fb6bb5d7
- SHA512
  
  232cd73ade4e1433a65e377833eb16b9c01dfaf6b59012e163758c67233252551fab98887fad9ad2bc4f84f4233eff59495d594834c15c25020872ad7bff3f64
- SSDEEP
  
  3072:1ew51avxlU+tI1DTQX8F7CNEoWGXu+Fqew51avxlU+tI1DTQX8F7CNEoWGXu+qeF:1ecOxlUq6sX8F7cKGXPFqecOxlUq6sXB
Score

10^/10

discovery execution agenttesla collection keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

agentteslacollectiondiscoveryexecutionkeyloggerpersistencespywarestealertrojan