agenttesla | df215a01f6a83014a148c6e407cdc8422e9119a88b4220a1321b2986ea9aef63 | Triage

Sharing

General

Target

seemebestthingsevermeetgivenbestthingsfornewways.hta
Size

46KB
Sample

250109-yvpsga1qhn
MD5

e90ae8ec16ea2056caaa64ac13a31373
SHA1

8041a1bda3769b97d8e8b980c6a77fcd2829d715
SHA256

df215a01f6a83014a148c6e407cdc8422e9119a88b4220a1321b2986ea9aef63
SHA512

0e2387a7813adf066dab3ec72b4525cfb4965c3d124595165de42ea17e35055a2e5c7bbf9eae70568e2290cec9d627f742c23129730ec730a947175916c8fc7b
SSDEEP

384:gLezlvdbmgM8m956YSmzBB5CtbHA7lvRvw:gOlvBvm956YfwTARZ4

Score

10^/10

agenttesla defense_evasion discovery execution keylogger spyware stealer trojan

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg%20

exe.dropper

https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg%20

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.horeca-bucuresti.ro
Port:
21
Username:
[email protected]
Password:
e)rWKbKP8~mO

Targets

- Target
  
  seemebestthingsevermeetgivenbestthingsfornewways.hta
- Size
  
  46KB
- MD5
  
  e90ae8ec16ea2056caaa64ac13a31373
- SHA1
  
  8041a1bda3769b97d8e8b980c6a77fcd2829d715
- SHA256
  
  df215a01f6a83014a148c6e407cdc8422e9119a88b4220a1321b2986ea9aef63
- SHA512
  
  0e2387a7813adf066dab3ec72b4525cfb4965c3d124595165de42ea17e35055a2e5c7bbf9eae70568e2290cec9d627f742c23129730ec730a947175916c8fc7b
- SSDEEP
  
  384:gLezlvdbmgM8m956YSmzBB5CtbHA7lvRvw:gOlvBvm956YfwTARZ4
Score

10^/10

defense_evasion discovery execution agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
  defense_evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

defense_evasiondiscoveryexecution

behavioral2

agenttesladefense_evasiondiscoveryexecutionkeyloggerspywarestealertrojan