agenttesla | 469796c41aa2ac6c574582a7894179a7f727cc3b7e78a512acf5ce2d2b82f80f | Triage

Submit
Reports

Overview

overview

Static

static

3

Loader.exe

windows10-1703-x64

Sharing

General

Target

Loader.exe
Size

1.6MB
Sample

240628-1czk3asfjh
MD5

53a8f7fcd91f5fe3dd76e22d83709d51
SHA1

9b2c1bdb6d02dc807dcf0185649e9e790ac8226c
SHA256

469796c41aa2ac6c574582a7894179a7f727cc3b7e78a512acf5ce2d2b82f80f
SHA512

910e0d9604583e9f0e1c96962a1988b8b0861031f40a38b3dc48440e8e9680513d9cf4734bb16cac0507087ee41a058bcdce2d7fe4dd1cffd937496e42507daa
SSDEEP

49152:dKTewD+uWhJbH2nHqtp/oNbm0RNzXrgCW5wpKn:dKTt+uAdWnHqtONbm0TbgCWCon

Score

10^/10

agenttesla defense_evasion execution keylogger spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Loader.exe

Resource

win10-20240404-en

agenttesla defense_evasion execution keylogger spyware stealer trojan

windows10-1703-x64

18 signatures

150 seconds

Malware Config

Targets

- Target
  
  Loader.exe
- Size
  
  1.6MB
- MD5
  
  53a8f7fcd91f5fe3dd76e22d83709d51
- SHA1
  
  9b2c1bdb6d02dc807dcf0185649e9e790ac8226c
- SHA256
  
  469796c41aa2ac6c574582a7894179a7f727cc3b7e78a512acf5ce2d2b82f80f
- SHA512
  
  910e0d9604583e9f0e1c96962a1988b8b0861031f40a38b3dc48440e8e9680513d9cf4734bb16cac0507087ee41a058bcdce2d7fe4dd1cffd937496e42507daa
- SSDEEP
  
  49152:dKTewD+uWhJbH2nHqtp/oNbm0RNzXrgCW5wpKn:dKTt+uAdWnHqtONbm0TbgCWCon
Score

10^/10

agenttesla defense_evasion execution keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Hide Artifacts: Hidden Window
  Windows that would typically be displayed when an application carries out an operation can be hidden.
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- An obfuscated cmd.exe command-line is typically used to evade detection.
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Hide Artifacts

Hidden Window

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Process Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

agenttesladefense_evasionexecutionkeyloggerspywarestealertrojan

© 2018-2024

Terms | Privacy