agenttesla

Sharing

Copy URL

Twitter E-mail

General

Target

Documenti di spedizione.exe
Size

777KB
Sample

250116-m8xjpaykhk
MD5

424d1a3ddc69f3335da09d2300d6bafa
SHA1

d7a16c4fd81363f1ac839abef7de303605871277
SHA256

1517b2cad778c2f60c3e175797fbe180f9d869aad4b4ec22ea4e619c4f87ef63
SHA512

319df4c10dd606f1d116908055359010ea27d0b492ed4c5e2bcb3e7a647332d9a6f6eb33faf3fdd35a7404226110c235c32057335d7affb2cbfacebb54c3787c
SSDEEP

12288:wtsfn0E9XB0fPHsFgu6+0wfYTPPZn8fnd+23MsftvphBV7GWu:w2R90PM96+PfYTdRWMYJ6Wu

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.concaribe.com
Port:
21
Username:
[email protected]
Password:
ro}UWgz#!38E

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.concaribe.com
Port:
21
Username:
[email protected]
Password:
ro}UWgz#!38E

Targets

- Target
  
  Documenti di spedizione.exe
- Size
  
  777KB
- MD5
  
  424d1a3ddc69f3335da09d2300d6bafa
- SHA1
  
  d7a16c4fd81363f1ac839abef7de303605871277
- SHA256
  
  1517b2cad778c2f60c3e175797fbe180f9d869aad4b4ec22ea4e619c4f87ef63
- SHA512
  
  319df4c10dd606f1d116908055359010ea27d0b492ed4c5e2bcb3e7a647332d9a6f6eb33faf3fdd35a7404226110c235c32057335d7affb2cbfacebb54c3787c
- SSDEEP
  
  12288:wtsfn0E9XB0fPHsFgu6+0wfYTPPZn8fnd+23MsftvphBV7GWu:w2R90PM96+PfYTdRWMYJ6Wu
Score

10^/10

discovery execution agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Blocklisted process makes network request
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  Magisterforeninger24/Demarkationernes/lagnerne.gor
- Size
  
  1.4MB
- MD5
  
  00ecf2e46cda54999a2a96d844ccf470
- SHA1
  
  18ef9ed3e90e19aad682d4fc2712b62bec021991
- SHA256
  
  fbcdb4c664a22f51bb1cb9e460bab8abc6cdf33c844301043cd32ca71e19dcd0
- SHA512
  
  c8e9ff7cfaa5c574bc1365cdfd5ea19a252a8a28fa34f10634ba8f0a28ab526f091c6b3e482d858a7213b2465d429889f904c4972c02011d4acb8afd5d6cbd6b
- SSDEEP
  
  768:aKSDbUZuGguSPxsEM3CCoyM2MiLKUEOeYJKiu91MUQ8VXZU76sEnvyJlFHbaSdX:DaOx/r
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  Magisterforeninger24/Demarkationernes/selvhersker.txt
- Size
  
  451B
- MD5
  
  5336415c4e5fc79f524b29c4698cd56b
- SHA1
  
  57f2b5cb843b3e1ae2cdb13e6b7e387abca684f5
- SHA256
  
  14b4b7df35d937c06f3ddfef4fea51b128abd963a6c369778e26715f0c185ca4
- SHA512
  
  39f0baffcbeb5858b3f1ee57334ba5566513a7ef4bfe348495eed230b1b6878194b2c97feefda435bafcf11dc6ec141a0ce6702976a252e6be2754ee2cee458d
Score

1^/10
behavioral5 behavioral6
- Target
  
  Magisterforeninger24/Demarkationernes/skjaldedigtnings.cat
- Size
  
  3.7MB
- MD5
  
  b21ec9aa8c9764f3a8d8e8322bdb178b
- SHA1
  
  5a74c620ea1fc99887b876ae7a35e50ab44c5d6e
- SHA256
  
  e6636801a2eb2831bde89e0625a2750f52093b4e643745d1f31ced8e95e12383
- SHA512
  
  29add0e06261282b4c8daaf0ddbfbd59d27a474964c65e9bb71b6198dc9585e3fddfd9d6050368d5f4803b3cf364f931cbc89ecd3c125280c43cf0e4a07288f7
- SSDEEP
  
  768:hx576kp7Vpb8gST+rqi8atMPwCpxN9/R6kNK7P8Ztgyc/s63TkRGTq3jBM2FLP1T:hFS18X5OLB6A
Score

1^/10
behavioral7 behavioral8
- Target
  
  Magisterforeninger24/Efterskrivendes.Ful
- Size
  
  55KB
- MD5
  
  0528a9bc5149e49e3c154c29c0230719
- SHA1
  
  3f9370061cc387d5adad587abacc6cb56b873a56
- SHA256
  
  3176ee8d9e193c87855dca4c1a53a3f0cc17d1d64cd5ef3df52f295927925c8c
- SHA512
  
  ebb50afbf89489ed96a9978d40e61d4150399ad464665313906f414ffe4bc0e81d321765593f881a34e5957d0662d14021e4a52a5fba870768867483ba2bb3d3
- SSDEEP
  
  1536:LMoNkDukoJBEWH/6/vHlMXokmGfG1P8Vu6y8k/:AxDeJXC/9MXok6qVu6tk/
Score

8^/10

execution persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral10 behavioral9
- Target
  
  Magisterforeninger24/gypsologist.dog
- Size
  
  649KB
- MD5
  
  9c340b5aa9a27f21fb077970b1ac466e
- SHA1
  
  9588d54b75835773a2b81b365893f2febde99ba1
- SHA256
  
  a51c824b7ad45b740dee2f7c6560a7a338ba0aeee64e49289d6208bff6237a2c
- SHA512
  
  2826cc6fa5c67c91f5d80426838094eb4f865a1dbe8e2c11d80830c4c72125a6f41476b93fb77d235b584383aec919f39fb72e6ccf3e664ad1091ca6b69d53a5
- SSDEEP
  
  768:jrIwYWUO3HMb7+ehFB1ufp20EA632Z1yfWLdZBwVlAPC:CAJT
Score

3^/10

discovery
behavioral11 behavioral12
- Target
  
  Magisterforeninger24/informationsproblemernes.ste
- Size
  
  218KB
- MD5
  
  4aea2ae38d40698031a4c3978fd2e462
- SHA1
  
  8565b63136efb7c333c41eaa53bf49af30d02d94
- SHA256
  
  b71ac55cea2ebc771bea79c68006ad1a260bb17aabe122447d09772e54630583
- SHA512
  
  a879f935f9d41f840952cf898a2875f91cae8b69542cfcc263fadb583681f9ae79f2148dd38b0ef7bea38dc4737b73f6c50e80a572688ae785dead8ecffbed86
- SSDEEP
  
  192:UbN3OQLR6fCG0M6s6w6Fz4PCbIKk7VbtKc:UbN3OQLR66Gt6s6w6Fz4P8IKk7VbtKc
Score

3^/10

discovery
behavioral13 behavioral14
- Target
  
  Udlaansbetingelser.sme
- Size
  
  352KB
- MD5
  
  365192963e84961bb4ad8095785fc17a
- SHA1
  
  2fd4a5e63cf6176cbdb3decc6dff9a1b8fd8d649
- SHA256
  
  e4475458e2580de7bf379f70dbd69edd2424fef1e155bce84a1bda16d70230b3
- SHA512
  
  c39a3e96cbdc4356dfd4ba9e30b078a3c8960268225e548b0e60beebff8f76d8f5e2df5dd2799d1cd4d8862967d15ef5d53a4122edacae4148be28c8bfa2855f
- SSDEEP
  
  6144:3FcLlptzsbGain+wfRcmnovR+p2PymfLHzsv9BwRbky:qLRLXnRcSX8amfLHuBCky
Score

3^/10

discovery
behavioral15 behavioral16

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Agenttesla family

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Looks up external IP address via web service

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Boot or Logon Autostart Execution: Active Setup

Enumerates connected drives

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16