agenttesla | ec7878220abe0d5307c5c1067dbc3d4a87134b20fef24e86c0ae46046ac4328c | Triage

Sharing

General

Target

23042025_0625_order nr. 0123 for 1.000.vbe.zip
Size

14KB
Sample

250423-g6167sy1bs
MD5

fe5d7c5bf0b4c218568cc84556cf8a44
SHA1

88d0d6f6885be628d09d90f30c5719e6410a919a
SHA256

ec7878220abe0d5307c5c1067dbc3d4a87134b20fef24e86c0ae46046ac4328c
SHA512

958b70048b9a2e6b37ae9fe63bcd701eb2a77d8422e81aa066551c9fdf3bc9b06a46a59d3d5984ba1e9af6d93a92bc82c0e5fef4289db8b19c79e1353cd1c76b
SSDEEP

384:OfkC1UNVJHmx18UveBkzMNVl80vIu+ApvKiUVP9q:m11wc18UvjANVl8gvKvP9q

Score

10^/10

agenttesla discovery execution keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.isuzutanphat.com.vn
Port:
587
Username:
[email protected]
Password:
aTLIfly8yk

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.isuzutanphat.com.vn
Port:
587
Username:
[email protected]
Password:
aTLIfly8yk
Email To:
[email protected]

Targets

- Target
  
  order nr. 0123 for 1.000.vbe
- Size
  
  28KB
- MD5
  
  592f0484a76de4f5edd8f9bd9d48e6c8
- SHA1
  
  8b72670572d4a1be6ae92ec5dbd3eec658e0ed66
- SHA256
  
  dfb92d282ba5ff519b2439265d3c9257bc23d7eceb05fc969eada0060cb23380
- SHA512
  
  47621868e8fb52cc671d819a3d7941ba39975ddd8dd92b3e2efc51b7653ece679c97d59195523919b3a661b82c83ef0a572f17b68ad7e4dbda5626ec75798874
- SSDEEP
  
  768:GAmGerlP5Z/JlYRhCn+CHdR0NnKem5y+QwJMOHR:HmGehPXxuRGdm/msTwJMOx
Score

10^/10

agenttesla discovery execution keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

behavioral2

agenttesladiscoveryexecutionkeyloggerspywarestealertrojan