agenttesla | 63bef232df0930f5098d8154af7fa12d93a69e50031583b410dd19499d40facf | Triage

Sharing

General

Target

63bef232df0930f5098d8154af7fa12d93a69e50031583b410dd19499d40facf
Size

587KB
Sample

241211-k4pbeawley
MD5

c0ee52955f2289da244170cf797ab77e
SHA1

a270908cbd44f813aa31e8a225bc15cb06c19071
SHA256

63bef232df0930f5098d8154af7fa12d93a69e50031583b410dd19499d40facf
SHA512

4b1f3fe84fb0fae92dd4a2afd4f19753f8127b5f26658598cf147bcad3690bfeb2e3b2f1cb1966df0a6c2f5da7a752895cabd3960990d1dbdc5e4c7ccb7e5d21
SSDEEP

12288:2I3V8ZJniBG4T56dkBmtnloXdC8ahndPrQ0biTZX6Ol5hd94Y:ZmZJio+6dkktnWXd6hp50ZKOlhj

Score

10^/10

agenttesla discovery evasion execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.ercolina-usa.com
Port:
21
Username:
[email protected]
Password:
nXe0M~WkW&nJ

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.ercolina-usa.com
Port:
21
Username:
[email protected]
Password:
nXe0M~WkW&nJ

Targets

- Target
  
  QUOTATION#08670.exe
- Size
  
  590KB
- MD5
  
  93bdfd46628601b04ea067e5f52187d7
- SHA1
  
  4d2e420aa6a8289763b9c0a79fccb7e18ee02294
- SHA256
  
  f2d566b1b667cf8ea8c35f2827f62e7430941e1fdd13019811768e3a942ec926
- SHA512
  
  1397ea8a0b29caa8497bc4efb4c20652980c2c76f617a2c235b925bb1ddd7c830f2b661feca5674b002479d230b78240455afa6a31c4854dba3229b903bb8f8c
- SSDEEP
  
  12288:0ZgE2xCedYZjsPmHfw+KsbAMgqURZyaRbN7RjVI06fbXB12dzJJVNcxWq:0ZgEa7dYlsPm/msR1QfJI591ezJHNcH
Score

10^/10

agenttesla discovery evasion execution keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agenttesladiscoveryevasionexecutionkeyloggerpersistencespywarestealertrojan

behavioral2

agenttesladiscoveryevasionexecutionkeyloggerpersistencespywarestealertrojan