agenttesla | 887f393b62c6c4b69e81cfc772397619082d936dd38cbcbc0f54b623ef871af6 | Triage

Sharing

General

Target

PO#98540-00.exe
Size

818KB
Sample

250121-mkc55sypdy
MD5

ea046995fae362aca9e45a8374b2e7d3
SHA1

220030086ea9c40d840904ee914fce760355313a
SHA256

887f393b62c6c4b69e81cfc772397619082d936dd38cbcbc0f54b623ef871af6
SHA512

fc5fc4d4ba627d5503bf162c7ea0b86379be979badf27950449ee7ae6552b14ad7b170a567feaca8b6a1c98c404e399651d1fec7e4d0330161ec436b940c5deb
SSDEEP

12288:LOfIO8DfgZCZtoym2Tm9I+M4AszKlF5+YZ4sEu9neODY72eM9lOR7rCThUa+e1+:LOkfpOFM4TKQyxetMCRvE+p

Score

10^/10

agenttesla discovery execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.starmech.net
Port:
587
Username:
[email protected]
Password:
nics123
Email To:
[email protected]

Targets

- Target
  
  PO#98540-00.exe
- Size
  
  818KB
- MD5
  
  ea046995fae362aca9e45a8374b2e7d3
- SHA1
  
  220030086ea9c40d840904ee914fce760355313a
- SHA256
  
  887f393b62c6c4b69e81cfc772397619082d936dd38cbcbc0f54b623ef871af6
- SHA512
  
  fc5fc4d4ba627d5503bf162c7ea0b86379be979badf27950449ee7ae6552b14ad7b170a567feaca8b6a1c98c404e399651d1fec7e4d0330161ec436b940c5deb
- SSDEEP
  
  12288:LOfIO8DfgZCZtoym2Tm9I+M4AszKlF5+YZ4sEu9neODY72eM9lOR7rCThUa+e1+:LOkfpOFM4TKQyxetMCRvE+p
Score

10^/10

agenttesla discovery execution keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agenttesladiscoveryexecutionkeyloggerpersistencespywarestealertrojan

behavioral2

agenttesladiscoveryexecutionkeyloggerpersistencespywarestealertrojan