agenttesla | 6232ba2d8c8ca87c37818660014882d4d0536d7296e08f2c37ba1c692b901f66 | Triage

Submit
Reports

Overview

overview

Static

static

3

tmpg954p4dh.exe

windows7-x64

tmpg954p4dh.exe

windows10-2004-x64

Sharing

General

Target

tmpg954p4dh
Size

640KB
Sample

240701-xd19haxcnk
MD5

6dd4f871c7d18b3f1b45a7112c21ced3
SHA1

e4f29ee54067cb1b18269e652f0b9deea63f437b
SHA256

6232ba2d8c8ca87c37818660014882d4d0536d7296e08f2c37ba1c692b901f66
SHA512

201478a2c249882aaa3c79ea633738d197b8be373648926b722775ba0bcc698a53680cdce79c30d76bc587b68a2c55839304b0abe8ccccca11778fc3cf960723
SSDEEP

12288:YAt3lRPMManKx996Fd5UtTOOXKQrdMuZeoakR+pt7aQaBnvy8K:R1RO+Gd+8QrdLZbe7a5vB

Score

10^/10

agenttesla execution keylogger spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

tmpg954p4dh.exe

Resource

win7-20240508-en

agenttesla execution keylogger spyware stealer trojan

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

tmpg954p4dh.exe

Resource

win10v2004-20240611-en

agenttesla execution keylogger spyware stealer trojan

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.iaa-airferight.com
Port:
587
Username:
[email protected]
Password:
Asaprocky11
Email To:
[email protected]

Targets

- Target
  
  tmpg954p4dh
- Size
  
  640KB
- MD5
  
  6dd4f871c7d18b3f1b45a7112c21ced3
- SHA1
  
  e4f29ee54067cb1b18269e652f0b9deea63f437b
- SHA256
  
  6232ba2d8c8ca87c37818660014882d4d0536d7296e08f2c37ba1c692b901f66
- SHA512
  
  201478a2c249882aaa3c79ea633738d197b8be373648926b722775ba0bcc698a53680cdce79c30d76bc587b68a2c55839304b0abe8ccccca11778fc3cf960723
- SSDEEP
  
  12288:YAt3lRPMManKx996Fd5UtTOOXKQrdMuZeoakR+pt7aQaBnvy8K:R1RO+Gd+8QrdLZbe7a5vB
Score

10^/10

agenttesla execution keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

agentteslaexecutionkeyloggerspywarestealertrojan

behavioral2

agentteslaexecutionkeyloggerspywarestealertrojan

© 2018-2024

Terms | Privacy