agenttesla

Sharing

General

Target

4f3c0de5a08e918050382a42c6109fda68cc8167664065ebd98c73d761fde3f3
Size

18.4MB
Sample

240620-cqz7raxfpl
MD5

40685ad748cf99dfd9aa8747195b266f
SHA1

844094dced2c259dac21977fd6f5415e4781e319
SHA256

4f3c0de5a08e918050382a42c6109fda68cc8167664065ebd98c73d761fde3f3
SHA512

decf87807bec6966c63694fd1529abdb4f4b97c4526ee7cbe52b78bde002d1ccce1cb51d6f679ac28fa68b29b459a772b6165041fa31b81ba972f3e833a7bd3a
SSDEEP

393216:lR66vlrcuVVO5wF1yVrvQud+WoTtDsC9cOv+5cMRbco0vTRtqgxzLwxwZAeZU:lR6IBni7lGOscQMRbKTRtqWwxa1ZU

Score

10^/10

Malware Config

Extracted

Family

mirai

Botnet

UNSTABLE

Extracted

Family

mirai

Botnet

UNSTABLE

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
xhcgmrubwdhylrry
Email To:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
xhcgmrubwdhylrry

Extracted

Family

formbook

Version

4.1

Campaign

cr12

Decoy

nff1291.com

satyainfra.com

hechiceradeamores.com

jfgminimalist.com

qut68q.com

pedandmore.com

sugardefender24-usa.us

somalse.com

lotusluxecandle.com

certificadobassetpro.com

veryaroma.com

thehistoryofindia.in

33155.cc

terastudy.net

84031.vip

heilsambegegnen.com

horizon-rg.info

junongpei.website

winstons.club

henslotalt.us

Targets

- Target
  
  PRE-ADVISE PO 45202549.exe
- Size
  
  731KB
- MD5
  
  cb95734e59b6b649c53ebae76634a05c
- SHA1
  
  2211f611f66a45c94079c99d9e43bf9c1309c498
- SHA256
  
  73c5c4b12646631dbf1e8adf10b52b8635b34d02d753d3fe829bd41210f547f0
- SHA512
  
  b92e3656eaa0d0de42daf45feb572f387c9cb4163e0657e80dcf51dd85c703c646fd1a751160f7c1149824cf41cf45fd3e08cef9323e3b29006983652a4c7731
- SSDEEP
  
  12288:RgsEDqiqyJMEFFYRqXHkgiANPvzB6GLPmgMuJHC9YGvmxa7hyGlvdPR/Ue77P578:Ge5OLFTXHkgiMPl6G7quJim0mcFyGTPm
Score

10^/10

agenttesla keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  New P.O.exe
- Size
  
  1.2MB
- MD5
  
  bf62b57ee6b1e88d479e982fcc5bcf68
- SHA1
  
  35956b67857e333893689bf293b053653180bc87
- SHA256
  
  174d337dc96f1d28833631db40dfb53ed28878b50ade6698a423b222b3ff78e8
- SHA512
  
  ce25b0d13a2af6df4a89a7376684535b78b2cf4fff76121344ab700a70852f0a23f70eddbe8884f70584c4a12afbc20149a4e6253a23de5294672d0998713553
- SSDEEP
  
  24576:PAHnh+eWsN3skA4RV1Hom2KXMmHa0cBsAbHXBRSPO2fC5:yh+ZkldoPK8Ya0ahdRFP
Score

10^/10

agenttesla keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  174d337dc96f1d28833631db40dfb53ed28878b50ade6698a423b222b3ff78e8.exe
- Size
  
  1.2MB
- MD5
  
  bf62b57ee6b1e88d479e982fcc5bcf68
- SHA1
  
  35956b67857e333893689bf293b053653180bc87
- SHA256
  
  174d337dc96f1d28833631db40dfb53ed28878b50ade6698a423b222b3ff78e8
- SHA512
  
  ce25b0d13a2af6df4a89a7376684535b78b2cf4fff76121344ab700a70852f0a23f70eddbe8884f70584c4a12afbc20149a4e6253a23de5294672d0998713553
- SSDEEP
  
  24576:PAHnh+eWsN3skA4RV1Hom2KXMmHa0cBsAbHXBRSPO2fC5:yh+ZkldoPK8Ya0ahdRFP
Score

10^/10

agenttesla keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  1acc6fd2850bf39084454669685e98ad49bfab90fcafe1e91f49caf4af182405.elf
- Size
  
  187KB
- MD5
  
  5a57c37935e84a37aaa682cf4c991222
- SHA1
  
  171bf1e48e28d1c332711861dffaeabd0f014bce
- SHA256
  
  1acc6fd2850bf39084454669685e98ad49bfab90fcafe1e91f49caf4af182405
- SHA512
  
  2dac831ad836920cc5e82099934db14af33189a0d807abb8b7a094a6a3857fe92c3415d76537f0ef9b326a3adfc94bc30ab288093f4307afc2f3680b32b39ba7
- SSDEEP
  
  3072:mWSFzOpsT6FbGqEVyYaySFjiHNjgsxSuRgh86Mcmo+M/RegKmYRA:mW8iplbGLgYaySFjiHN0sRq867v+M/RX
Score

9^/10

discovery
- Contacts a large (74734) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
behavioral7
- Target
  
  JDtnp2mcrQvXDeo.exe
- Size
  
  652KB
- MD5
  
  3aee87433e931e3a5fc22f57f428fcbb
- SHA1
  
  f6495dd08bdc9d8d049e1e898800bd8d9311a549
- SHA256
  
  709cb8b2628d52b597a87f74bd8867dd40cb54bd48940d159dd11930d9d76472
- SHA512
  
  8f12394205a9940feaf4d350f2d4d6f3adb693e00a56ebb8933c6cb6b062f419e4aaf0f4ccccd507bc1cfe042bd9ac0ee669d52e29daebd2c8465a3c709e4f24
- SSDEEP
  
  12288:G3qyJMjKlhpPEe0XTfBSH9GuIwY4HwHDohzRqrewL5aArEpVLsGY:G6OFh9EVckHBshMreWgWJ
Score

10^/10

formbook cr12 rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Suspicious use of SetThreadContext
behavioral8 behavioral9
- Target
  
  73c5c4b12646631dbf1e8adf10b52b8635b34d02d753d3fe829bd41210f547f0.exe
- Size
  
  731KB
- MD5
  
  cb95734e59b6b649c53ebae76634a05c
- SHA1
  
  2211f611f66a45c94079c99d9e43bf9c1309c498
- SHA256
  
  73c5c4b12646631dbf1e8adf10b52b8635b34d02d753d3fe829bd41210f547f0
- SHA512
  
  b92e3656eaa0d0de42daf45feb572f387c9cb4163e0657e80dcf51dd85c703c646fd1a751160f7c1149824cf41cf45fd3e08cef9323e3b29006983652a4c7731
- SSDEEP
  
  12288:RgsEDqiqyJMEFFYRqXHkgiANPvzB6GLPmgMuJHC9YGvmxa7hyGlvdPR/Ue77P578:Ge5OLFTXHkgiMPl6G7quJim0mcFyGTPm
Score

10^/10

agenttesla keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral10 behavioral11
- Target
  
  PR-ZWL 07364G49574(Revised PO).exe
- Size
  
  759KB
- MD5
  
  6ef3cba91b136ae138380b710a104a12
- SHA1
  
  5347a8375a4faaca804d39b6e892241086be8986
- SHA256
  
  c79a98c3a11afabf39a52a12cb7d1ee6cf4f9df5c7bc54aa969296f50b75aa73
- SHA512
  
  f65fd41faa37b1eaca4f60f830fc4c22c43f91821489bbfa9340f65c16e8056cd331b4cf68d8223245cbca6c7493e837cf15b16dfe371ff0a95183a9813051c5
- SSDEEP
  
  12288:YgsrmyiqyJMbloYxlJHATl7Nn4JaywbIK/bOFNEpDg0891ZdujAC6lITYeMmR/E:QF5OyoY5ApZnRywbj/bieTi1ujAC6r37
Score

8^/10

discovery execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Modifies file permissions
  discovery
- Suspicious use of SetThreadContext
behavioral12 behavioral13
- Target
  
  SOA pdf.exe
- Size
  
  717KB
- MD5
  
  0e928f8ca2a45826211c1e02c9ae09f8
- SHA1
  
  502ba9469f174b8ae062278be8ca847616d4e0f8
- SHA256
  
  3c4a6a16a5d8679e83400b100265e0513f5993e513d5f17c875976b09cd1bf25
- SHA512
  
  1ae4d75d15026e3277b42918756b1bc7a91960811136af4672ca48c9b943279b4ff22be4382275629693ae9f17b0c3e95ac1ade95c5bf167086015478aca4ca4
- SSDEEP
  
  12288:I3qyJMM/F1KswrqeiQgLI/VvH8WX1wMVeARbNPnN9jXBOQS6XczZLK4I7ukDkR:I6ON1KAYVvH8inwARbNPNNX3VMBK41kW
Score

10^/10

agenttesla execution keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral14 behavioral15
- Target
  
  8c56b0f77abb15a25ffdd9e0700475d339c640c4f40094a8bc97223d850c1f4a.exe
- Size
  
  261KB
- MD5
  
  cf98d600d1bcb5cbf653ce1c217afffd
- SHA1
  
  b390d1d18f7525df4ba20fb9a05c29661313303e
- SHA256
  
  8c56b0f77abb15a25ffdd9e0700475d339c640c4f40094a8bc97223d850c1f4a
- SHA512
  
  6c1edcf5cc6ccdc3536ddd6e20f101551a3ec3ec9745eab9714922ca16a5c4d6763f8e1df172672ec5987310b6efb7335056ff23970f2404bad1bca228c87b20
- SSDEEP
  
  6144:zDKW1Lgbdl0TBBvjc/pln9MM1opjyQk0cfXGN49gT:nh1Lk70Tnvjcn93eplkJmT
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral16 behavioral17
- Target
  
  a7756cd5c50f47896fe717bf2ae620f8f3b451e84a70f983c6d79c4f7ad63dc1.elf
- Size
  
  142KB
- MD5
  
  6c189b57296bbee400556efb87716501
- SHA1
  
  dfb372e7329d279ea0c7c88c9fe4c332332c3345
- SHA256
  
  a7756cd5c50f47896fe717bf2ae620f8f3b451e84a70f983c6d79c4f7ad63dc1
- SHA512
  
  e2f27fed8f1939c72d46a9e514ece01174917ea1e0b6a7746a8ca7d82427338f2b587424f184408678687ed8bd447a41d9f8c44eeac78f450d3349d0e0abc3b9
- SSDEEP
  
  1536:M+noapd+7x2AZWwK58AvA4BBAhxrE4V9jFTbjBikIjqYjo8xnelMLwywh9ToGwV3:M+nb+EwuPv5BBwg4XF/jBioGN60aLRF
Score

1^/10
behavioral18
- Target
  
  ac6ea6239a4b82d24b823f1a50ab207652024f33726730d4d7b791fcb2fec7de.exe
- Size
  
  10.2MB
- MD5
  
  d3f70e7671df9f9817768d24c75aa735
- SHA1
  
  d1d758deac586c0629870b5df63f1de5a79d153b
- SHA256
  
  ac6ea6239a4b82d24b823f1a50ab207652024f33726730d4d7b791fcb2fec7de
- SHA512
  
  51a921f93ddd21599fdba186a5abe72f9103e7e5ed4e863f8ff0eefd78e6941276bea1e84c240c3365cada2d4026d6794bae33b9a969d11c0141f17b2f189ac2
- SSDEEP
  
  196608:N/7Olb2w9+L0YFqQxA10++MvJHDO6yBT9k0W8/L2yBE3U/aF1gJ3:NKlq5L0HQK1HnOT9W8qQiFaJ
Score

7^/10
- Loads dropped DLL
behavioral19 behavioral20
- Target
  
  c55761decbe72089e99909a2906c693b159c4b31564d8b795f8821b2683dba27.elf
- Size
  
  97KB
- MD5
  
  94d0eeb26baa543c32dc4ea8b62e83d5
- SHA1
  
  ecac42d08ca947284f63b9e30e3560c05568a963
- SHA256
  
  c55761decbe72089e99909a2906c693b159c4b31564d8b795f8821b2683dba27
- SHA512
  
  b7a826f645342136f37ce549d00e6b28ba23c8b515f83d1c1c6329788fcb74bddc13e723f2030b4c20be5c53b13eec4a6b52c18e9072a90b47153fd7e7955168
- SSDEEP
  
  1536:u4w1sjHa+UtSe5g+r9naSgEHyGF++49MoeuefL6hrDb3cHNSH2b7:k1sjHndez9nIEHyslnuk+hrvGko7
Score

1^/10
behavioral21
- Target
  
  c79a98c3a11afabf39a52a12cb7d1ee6cf4f9df5c7bc54aa969296f50b75aa73.exe
- Size
  
  759KB
- MD5
  
  6ef3cba91b136ae138380b710a104a12
- SHA1
  
  5347a8375a4faaca804d39b6e892241086be8986
- SHA256
  
  c79a98c3a11afabf39a52a12cb7d1ee6cf4f9df5c7bc54aa969296f50b75aa73
- SHA512
  
  f65fd41faa37b1eaca4f60f830fc4c22c43f91821489bbfa9340f65c16e8056cd331b4cf68d8223245cbca6c7493e837cf15b16dfe371ff0a95183a9813051c5
- SSDEEP
  
  12288:YgsrmyiqyJMbloYxlJHATl7Nn4JaywbIK/bOFNEpDg0891ZdujAC6lITYeMmR/E:QF5OyoY5ApZnRywbj/bieTi1ujAC6r37
Score

8^/10

execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral22 behavioral23
- Target
  
  d30f8c9b89f3bd4630fdfb8b9c5390e7e828846cc99d1ba179a2bee7886e6830.doc
- Size
  
  118KB
- MD5
  
  e44b25aa77ee6ec4e9517331b3ee4c94
- SHA1
  
  1b37cdea0ee1cc741f199e30faf0e2bc2563533c
- SHA256
  
  d30f8c9b89f3bd4630fdfb8b9c5390e7e828846cc99d1ba179a2bee7886e6830
- SHA512
  
  6c8fe3f2c02805b3a26c969eb1ca1db91de5a7adbdde17ce403a79950f1f290f9178cf5679fbbcb231e8e744e940d3b30bab865a4de1e4cd21d3a0960f316c53
- SSDEEP
  
  1536:xFwEsxtVS/MOh4GDD1D77L+WUx+a9FU4UU4HU4LUYHUY9U48U4UU4HU4oU47U4/c:xFwEek/MI/F/n
Score

4^/10
behavioral24 behavioral25
- Target
  
  d38f510bc1a2f2e389f22e0a8609f531472d1b367111f74de9109b49c91cbe26.exe
- Size
  
  1.7MB
- MD5
  
  95cbc37d7c73ed0bf29074713701ce8a
- SHA1
  
  da6ad1007e94f69772eee09473dab8b4eb2db14e
- SHA256
  
  d38f510bc1a2f2e389f22e0a8609f531472d1b367111f74de9109b49c91cbe26
- SHA512
  
  a084c74bc1716356dad090a4aba0beee0aa4e098161a191781c48abb4db1c52f6f2167f9e48d60381f5b89822ea17ae62b9a7c755900842c897fad8b9897db81
- SSDEEP
  
  49152:1Djlabwz9+HjAr6EwEVulQgsXd4WfLW+ZrZznY4:Zqw7rmEVulQgYxDPZzY4
Score

1^/10
behavioral26 behavioral27
- Target
  
  d623c0b8d9d662362b6347c6862217221e660082ef0a9bff77a83a6efffda4cf.bat
- Size
  
  35B
- MD5
  
  e45f6a0d55d7fa893be7ec033793ba6b
- SHA1
  
  6905c4a234f4e6e9fcfd222a0d932e827b86d833
- SHA256
  
  d623c0b8d9d662362b6347c6862217221e660082ef0a9bff77a83a6efffda4cf
- SHA512
  
  773730f1b0284d102060f20ac8f6b636fde2036b30ede41b5472754824a87c79c3995de5b7766b0802efb5698961ee82a4e862cb2a474d090b7f9c29e79b396a
Score

1^/10
behavioral28 behavioral29
- Target
  
  RFQ-2402-3572.exe
- Size
  
  706KB
- MD5
  
  2e11cbc359b45e25b7f5f3b6008f3adc
- SHA1
  
  e640cc86dfed0419775c394ed050674667ed8b2e
- SHA256
  
  48c7311341af01dfa4d01d6000fb17d6956d6607f2714bb88bba2f8ca0a93fbc
- SHA512
  
  4a4c3b8d84f8a7a7b09bd584b17f07fe929abd938b64cef95e2890512d988eff116ce726694d53e5d78e3063ed71b0ac3d33ebfa8db6dc3ec8b2469578c5c8ba
- SSDEEP
  
  12288:r3qyJMIC222lCz/mh/otW1AmPCLHmR895zB8DSSAwlDJyhy3KJx:r6Oo222Y7mh/BKm6vDF8+S/GhgKL
Score

10^/10

agenttesla keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral30 behavioral31
- Target
  
  INV&PL.exe
- Size
  
  888KB
- MD5
  
  3d62e0fc4fca8100b42897e70a53d231
- SHA1
  
  330509cdadfcf790502287f308c30f2f273f2da3
- SHA256
  
  e8337caecb446835a9104cbc6bccf21fb76c0ab31a285a5e2049be0b1a6bc273
- SHA512
  
  bd27f9c93cd80df38221090c21a894676220129f2942e2e1884a47054ff7643de7903384e4033131b758974c876fefed86e4e6c6a30297e6e30e60968101642f
- SSDEEP
  
  12288:Q1ZBq7/ExfbSRmrZn9gHLYBrsd5dewor0FPpDI5mMXoWV2woUb+gRyd1wV1ERc1:Q1Z07/ExfbVrZn9GXd/cm05mMXzvr+qp
Score

8^/10

execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Suspicious use of SetThreadContext
behavioral32

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

File and Directory Permissions Modification

T1222

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

AgentTesla

Adds Run key to start application

Suspicious use of SetThreadContext

AgentTesla

Adds Run key to start application

Suspicious use of SetThreadContext

Contacts a large (74734) amount of remote hosts

Creates a large amount of network flows

Formbook

Formbook payload

Suspicious use of SetThreadContext

AgentTesla

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Modifies file permissions

Suspicious use of SetThreadContext

AgentTesla

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

AgentTesla

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Looks up external IP address via web service

Loads dropped DLL

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Suspicious use of SetThreadContext

AgentTesla

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Command and Scripting Interpreter: PowerShell

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12