agenttesla | 6b6f57dc837bbcd056b5e5c76dfe32c362142ff8b228f0c5153b59a21d17e38f | Triage

Submit
Reports

Overview

overview

Static

static

1

DHL1x20'LY...74.vbs

windows7-x64

DHL1x20'LY...74.vbs

windows10-2004-x64

Sharing

General

Target

01072024_1030_01072024_DHL1x20'LY736449574.gz
Size

9KB
Sample

240701-mjvc2azcjm
MD5

9b614dc4cda6d3b9ca3e93a0c4504c9b
SHA1

0638be915c6f9e4ab6a4d329acb48fb4680288b9
SHA256

6b6f57dc837bbcd056b5e5c76dfe32c362142ff8b228f0c5153b59a21d17e38f
SHA512

615cb99db7c10cb6ba518990b7c8ef24d9b1d75aecb18e37a5b7fbd2eb382156a7a7d83c2f62edf0c1e3eab418e9725f5ccd557e97760e6ce73c888a7bff688d
SSDEEP

192:Y9byKbgjF7HGd5TdtjJw1913uwxAmeFnqIIMzWrHX5q9BrR2zXXM:YQ7mXRtji135xte7IMzWrHXArR2LM

Score

10^/10

agenttesla keylogger spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

DHL1x20'LY736449574.vbs

Resource

win7-20240611-en

agenttesla keylogger spyware stealer trojan

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

DHL1x20'LY736449574.vbs

Resource

win10v2004-20240508-en

agenttesla keylogger spyware stealer trojan

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.concaribe.com
Port:
21
Username:
[email protected]
Password:
@Ixk.X0Q&I?d

Targets

- Target
  
  DHL1x20'LY736449574.vbs
- Size
  
  18KB
- MD5
  
  e18818173f8cf93e8b168e29c4ac3136
- SHA1
  
  42059e8cf7003ad0e269f9ac0752e0387948c364
- SHA256
  
  5563fa21470df110e69ef51c2ae908f4f9cba15b135f9d32d38971a7eabd1e9b
- SHA512
  
  31c99f32ac7f71a61d2888872c8da4e259ba61fc685718155cfb01fec95f594376cc4bc3a6fb185325e5cba7493b7cea363bbe3a2be492406db07a2f28853b6a
- SSDEEP
  
  384:4dQM+6JUwsljx9xS04WLhbumq0mYSNBeVTmF+SGKKB1dA0+TgtAtTmblc:unJUDvSrPBQmF+SGKKBA08ltz
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

agentteslakeyloggerspywarestealertrojan

behavioral2

agentteslakeyloggerspywarestealertrojan

© 2018-2024

Terms | Privacy