agenttesla | 752e4719ae55cbe74e4018bd756f5eeaaabbeb007cd580d30c75c9a3b9314f03 | Triage

Sharing

General

Target

Transferencia pendiente-password(PnCvyWVv).zip
Size

746KB
Sample

250120-wbpbgs1nav
MD5

e2666796f6df64df74f25724d06fc514
SHA1

e61753f9b3ba89538dc76a5b57165890dc32b708
SHA256

752e4719ae55cbe74e4018bd756f5eeaaabbeb007cd580d30c75c9a3b9314f03
SHA512

1990d1848737015bcffdd9fcfe7820f00d8747c4eca8c44f1fd2e477ce5d6df45a36672172b778345861d091241e85f0c31287e0000733eab09215ed43d520ca
SSDEEP

12288:U1FK7s66eCyGTB/bQPn4tAB/ldFoA/bJtL9qijljy+mvdoaY9gjnT:U1WeunMS/lUA/dtNjljy+odoaCgjnT

Score

10^/10

agenttesla discovery keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.solucionesmexico.mx
Port:
21
Username:
[email protected]
Password:
dGG^ZYIxX5!B

Targets

- Target
  
  91dc7a555214f1cb76befd696cbb3454c8dfb66c1fd6cbcce8bcb0cc2a8a924b.eml
- Size
  
  746KB
- MD5
  
  535f378cafeb83638768fe29b7ee0fb3
- SHA1
  
  d232b8c1d0af9b0d17b00e6c80c736bd9eb1b9d8
- SHA256
  
  b521442f384b5aa79ed5b5ca49d9ee7d80ee86c5533cd2dd7160fdf8593d358b
- SHA512
  
  0b305e6980e294437c7c81b2b94ee583b3efb4a5cb0dd601c32569a5d21ff2c43c9905799d3fe20113b8f1cd62f7f3746cda5a1b66bdc098b33ce9f65731ca05
- SSDEEP
  
  12288:vkX3EreQhTlWhtU1obHFN2EXHthC/P4FGnG4IZuDvVs7dvoPS7uZwH/:vP5ozFnHtoHtnGJO3Puf
Score

5^/10

discovery
- Drops file in System32 directory
behavioral1
- Target
  
  Transferencias Pendientes de facturacion - Maxines SRL - Dic24.lzh
- Size
  
  542KB
- MD5
  
  9565deef5d3ec3decd7fcaab522e3630
- SHA1
  
  cdd658b005bbb183f9d85bdecf9de8eb224383e8
- SHA256
  
  f8664fec1486bceb5eb77dd7fce08bf86140e6fc7426fd9a42c06070997d26cd
- SHA512
  
  79e3a5c5da4e1cfdd6601a6e8bcaead7f4b8d75e1d8920417a92c8a33c5af5f1f410e8eee78bf6bad1064d7bf6d70fc56f54dd7a5dd02949312e9cd7f52d8f99
- SSDEEP
  
  12288:RU/aKDtOaTiMfSv4MXKWILT8Pjz3QAn6ySp01a8ndR5yTC8:RipxOawg+K70jz3Q+6Zpb8ndRcJ
Score

10^/10

agenttesla discovery keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral2
- Target
  
  Transferencias Pendientes de facturacion - Maxines SRL - Dic24.exe
- Size
  
  1.0MB
- MD5
  
  e7a41d3a6376d834e88548ca8e2d5187
- SHA1
  
  0ac56ad806f92ad780ff4e64e8610b102944aabe
- SHA256
  
  72c492c3198f103c677df4abbbfcfc96a3f43126d9f8ef6426cd74e879405524
- SHA512
  
  20e18f647a2e227b4c44a564037f744de3b6d6b4c2a9ef0a983f74451e1e9f564334ee4ecdaefa981bcb1a1cf911e2260ea15a65c13140188ee2bc7bfb27757b
- SSDEEP
  
  12288:1CdOy3vVrKxR5CXbNjAOxK/j2n+4YG/6c1mFFja3mXgcjfRlgsUBgaOTeV0tHJKF:1Cdxte/80jYLT3U1jfsWa2eVLTLL+Q
Score

10^/10

agenttesla discovery keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

agenttesladiscoverykeyloggerspywarestealertrojan

behavioral3

agenttesladiscoverykeyloggerspywarestealertrojan