agenttesla | 8b1a3325abed1a5e86ef9759aa90644c9a46d4baa806a3be057ce8b5c4de7749 | Triage

Sharing

General

Target

8b1a3325abed1a5e86ef9759aa90644c9a46d4baa806a3be057ce8b5c4de7749
Size

675KB
Sample

250117-bx5v5sylfl
MD5

1fbec4d33c795d74d3fd1af8a82aff53
SHA1

b508f538024b04aa708bfc4d11527ec9c853be92
SHA256

8b1a3325abed1a5e86ef9759aa90644c9a46d4baa806a3be057ce8b5c4de7749
SHA512

0b92aafb7fb60027af83ad483f043be0e6fa460f546cda31652b6e7d0232bb4b01e612ca86a8bd7b2765d0a8b5f2b72c9512191a87654f3a5b3cf8d3e1036961
SSDEEP

12288:4gkvgwxI9MhaNkrqsn/6DJ8EfnYiYiZh0AzRYb1gbMgfa:4gk1OnNCz/6NrYkuANYhgk

Score

10^/10

agenttesla discovery execution keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
162.254.34.31
Port:
587
Username:
[email protected]
Password:
JaR4LTajHPY5

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
162.254.34.31
Port:
587
Username:
[email protected]
Password:
JaR4LTajHPY5
Email To:
[email protected]

Targets

- Target
  
  8b1a3325abed1a5e86ef9759aa90644c9a46d4baa806a3be057ce8b5c4de7749
- Size
  
  675KB
- MD5
  
  1fbec4d33c795d74d3fd1af8a82aff53
- SHA1
  
  b508f538024b04aa708bfc4d11527ec9c853be92
- SHA256
  
  8b1a3325abed1a5e86ef9759aa90644c9a46d4baa806a3be057ce8b5c4de7749
- SHA512
  
  0b92aafb7fb60027af83ad483f043be0e6fa460f546cda31652b6e7d0232bb4b01e612ca86a8bd7b2765d0a8b5f2b72c9512191a87654f3a5b3cf8d3e1036961
- SSDEEP
  
  12288:4gkvgwxI9MhaNkrqsn/6DJ8EfnYiYiZh0AzRYb1gbMgfa:4gk1OnNCz/6NrYkuANYhgk
Score

10^/10

discovery execution agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Loads dropped DLL
- Blocklisted process makes network request
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/nsExec.dll
- Size
  
  7KB
- MD5
  
  59e487d0a38dce3f6be70d153d7b84a0
- SHA1
  
  0c2ca2fb13731c9f5c53d663dd3804a423736c45
- SHA256
  
  f19f36b3d8c9f78786eb2dc99d7c7ffbfa1c8236843f139c625a60fde3e6b4c3
- SHA512
  
  42c80f25e3e49a3a81ec20104feacfc9652410d50ef90020e61c889fb0e94b0e54e1214c37f205a9f180a56dc569628a62d2bed868ffceb3bb3bbbc842403735
- SSDEEP
  
  96:J0mkmwmHDqaRrlfAF4IUIqhmKv6vBckXK9wSBl8gvElHturnNQaSGYuHc2DCP:JHjRrlfA6Nv6eWIElNurnNQZGdHn
Score

3^/10

discovery
behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

behavioral3

behavioral4