agenttesla | 5dfa193d083fcbe25cc3f69f6f5f961a0cefb60f9fcac2a79b27b7c04b2ab5fd | Triage

Sharing

General

Target

5dfa193d083fcbe25cc3f69f6f5f961a0cefb60f9fcac2a79b27b7c04b2ab5fd
Size

52KB
Sample

250128-jmdmxaskex
MD5

495d28d427b7dd6ded022a630cbc1834
SHA1

b31faca2738f78fc7b656e2a9f4a2b12ba011e37
SHA256

5dfa193d083fcbe25cc3f69f6f5f961a0cefb60f9fcac2a79b27b7c04b2ab5fd
SHA512

a6abcc2e64d372d0dcc6c97cb5caa367b64eb0af0a8f7083538899e8fe2e5c05fbc6954836ab27c63b2484a224f1740aa050edddd0f26106f2a8be4fec1b81e4
SSDEEP

1536:v9tZRsu2zdyfpuvvKODUu4EpVQdLJsMcVUf5u1q:ZRl2zcAvR4kQdLJJceBYq

Score

10^/10

agenttesla collection discovery execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://res.cloudinary.com/daxwua63y/image/upload/v1737543662/new_image_h8btwc.jpg%20

exe.dropper

https://res.cloudinary.com/daxwua63y/image/upload/v1737543662/new_image_h8btwc.jpg%20

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6050556352:AAE_-mublQ2CllMbT9xkQVBjSBbdvdYR1kM/

Targets

- Target
  
  Shipping Docs_waybill NO 2005xxx351.wsf
- Size
  
  189KB
- MD5
  
  3b970c76dbc74cd9b119f487a22c1683
- SHA1
  
  4ebb9876723c2fc5fda46b098094cf0104efac55
- SHA256
  
  73b63a59ea3c5c6f049420fb7a4a4dc4e91036c24e2b25bae406aac1f56a1812
- SHA512
  
  74f4bbe6c8ff3769e4a70189bf28aba7ac0bf8c6a4440c88b24fa6d2207ea4169f032b37d465ca981f2bc4f69f25fd089256bde24d88f7a4e003f6d80beef821
- SSDEEP
  
  3072:z/zQ6Vv//riU/tEqZjCwNZiU/tEyWiU/tEqZjCwNZiU/tEAI6:0U/tESLNQU/tEylU/tESLNQU/tEa
Score

10^/10

discovery execution agenttesla collection keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

agentteslacollectiondiscoveryexecutionkeyloggerpersistencespywarestealertrojan