agenttesla | f6e159f0e6c27e334d951dd08dff7819878b7ac4318b5dcd1a2d9975062ab8d1 | Triage

Sharing

General

Target

RFQ-004282A.Teknolojileri A.S.exe
Size

599KB
Sample

241212-katc9syjfz
MD5

6ea849b727eea7b7487aa0941258f8bd
SHA1

6fca473e6498bde1b015e95fd612d156727a19fc
SHA256

f6e159f0e6c27e334d951dd08dff7819878b7ac4318b5dcd1a2d9975062ab8d1
SHA512

23442f983e18788f2ac5f3e4839fcbf4252964c50b0363798718b50f20129df73f9fa9d9df5407b5a18f2cb18c97bddc9dd66a5e3dc35dc0b43536090272a91a
SSDEEP

12288:5yDylIzYVQVHLgGiV3zkkvaB/FXPD02tdbNkrIGd7F0oS4M+3+xe:5jsVrTiV3wddr02TbNM7Oo3M4

Score

10^/10

agenttesla discovery evasion execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.ercolina-usa.com
Port:
21
Username:
[email protected]
Password:
nXe0M~WkW&nJ

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.ercolina-usa.com
Port:
21
Username:
[email protected]
Password:
nXe0M~WkW&nJ

Targets

- Target
  
  RFQ-004282A.Teknolojileri A.S.exe
- Size
  
  599KB
- MD5
  
  6ea849b727eea7b7487aa0941258f8bd
- SHA1
  
  6fca473e6498bde1b015e95fd612d156727a19fc
- SHA256
  
  f6e159f0e6c27e334d951dd08dff7819878b7ac4318b5dcd1a2d9975062ab8d1
- SHA512
  
  23442f983e18788f2ac5f3e4839fcbf4252964c50b0363798718b50f20129df73f9fa9d9df5407b5a18f2cb18c97bddc9dd66a5e3dc35dc0b43536090272a91a
- SSDEEP
  
  12288:5yDylIzYVQVHLgGiV3zkkvaB/FXPD02tdbNkrIGd7F0oS4M+3+xe:5jsVrTiV3wddr02TbNM7Oo3M4
Score

10^/10

agenttesla discovery evasion execution keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agenttesladiscoveryevasionexecutionkeyloggerpersistencespywarestealertrojan

behavioral2

agenttesladiscoveryevasionexecutionkeyloggerpersistencespywarestealertrojan