agenttesla | b30d15e1fd826e16c27bda3b36e7393bf2b0c007e3e3290a571ba3dd04c4c766 | Triage

Sharing

General

Target

b30d15e1fd826e16c27bda3b36e7393bf2b0c007e3e3290a571ba3dd04c4c766
Size

3.2MB
Sample

250125-bp8baszlap
MD5

a4188f15fc0369e5964b5e79e6b9583f
SHA1

1803e2fbf8cc404650e03883248db932eeba5128
SHA256

b30d15e1fd826e16c27bda3b36e7393bf2b0c007e3e3290a571ba3dd04c4c766
SHA512

f99fe7718a6d5e0f11efe4220c02a1ace36eb910d6685530acb6e210c7c158bb839d2622bf56b7e389d7b08c7a13cb77a6529b2cb0121c1f8bcade276dd6ba34
SSDEEP

12288:3J06HXD5uKDcWMXUoes0+2O0CHN1VBYT5QF:jXdDXMEFQ/HbV

Score

10^/10

agenttesla collection credential_access defense_evasion discovery keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5349655878:AAGnMhpzchQYN5RbZ88-w3gvA1SNsxWo7ts/

Targets

- Target
  
  b30d15e1fd826e16c27bda3b36e7393bf2b0c007e3e3290a571ba3dd04c4c766
- Size
  
  3.2MB
- MD5
  
  a4188f15fc0369e5964b5e79e6b9583f
- SHA1
  
  1803e2fbf8cc404650e03883248db932eeba5128
- SHA256
  
  b30d15e1fd826e16c27bda3b36e7393bf2b0c007e3e3290a571ba3dd04c4c766
- SHA512
  
  f99fe7718a6d5e0f11efe4220c02a1ace36eb910d6685530acb6e210c7c158bb839d2622bf56b7e389d7b08c7a13cb77a6529b2cb0121c1f8bcade276dd6ba34
- SSDEEP
  
  12288:3J06HXD5uKDcWMXUoes0+2O0CHN1VBYT5QF:jXdDXMEFQ/HbV
Score

10^/10

agenttesla collection credential_access defense_evasion discovery keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Looks for VirtualBox Guest Additions in registry
  defense_evasion
- Looks for VMWare Tools registry key
  defense_evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslacollectioncredential_accessdefense_evasiondiscoverykeyloggerpersistencespywarestealertrojan

behavioral2

agentteslacollectioncredential_accessdefense_evasiondiscoverykeyloggerpersistencespywarestealertrojan