agenttesla

Sharing

Copy URL Twitter E-mail

General

Target

NUEVA ORDEN - NM049300 FERMAXIA-password(QKmLgls3).zip
Size

1.7MB
Sample

250517-zsx7hagk8y
MD5

45477e866dc304f06c3ae2c406b2bed1
SHA1

d253c156ce77e1a28abd5f87a42a06fb486a542b
SHA256

845c7e0dbf037bc7528dce1b3fb517dbdd584a3fdeb85e224069b7061f0f4883
SHA512

229d709840cd102f7205382297e456f9f34e3bef6e0987007dfd215e3b4fcc855a9dffc520dd2c38e282f1473b1af195af66c835bb47a51ddce090f4c80052b5
SSDEEP

49152:Xd4s577LSOsddvNmNrJJkMWlg4cE1pH2QNxfhl4:N4s5sdsNrJJkHllHL2QNN4

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.lampadari.gr
Port:
21
Username:
[email protected]
Password:
P8P[uVeJU=vh

Targets

- Target
  
  NUEVA ORDEN - NM049300 FERMAXIA-password(QKmLgls3).zip
- Size
  
  1.7MB
- MD5
  
  45477e866dc304f06c3ae2c406b2bed1
- SHA1
  
  d253c156ce77e1a28abd5f87a42a06fb486a542b
- SHA256
  
  845c7e0dbf037bc7528dce1b3fb517dbdd584a3fdeb85e224069b7061f0f4883
- SHA512
  
  229d709840cd102f7205382297e456f9f34e3bef6e0987007dfd215e3b4fcc855a9dffc520dd2c38e282f1473b1af195af66c835bb47a51ddce090f4c80052b5
- SSDEEP
  
  49152:Xd4s577LSOsddvNmNrJJkMWlg4cE1pH2QNxfhl4:N4s5sdsNrJJkHllHL2QNN4
Score

1^/10
behavioral1
- Target
  
  a66e05684cd828e5a9b1771963a0121a13c7304a2a4037920dfb54d476575f9c.eml
- Size
  
  1.7MB
- MD5
  
  911b986bbfad904ca8481f54d6a30293
- SHA1
  
  353d5e1d066d6e70e95bd7dcc10369d82701dab1
- SHA256
  
  a5402b71761d83b2bb8b91f6c56a522aa820db06608464ed8d551976dad6d8b1
- SHA512
  
  96e8489534e77c241154fcfa7270df1405497aeef854b90a1002fd3a95eceea4cfa4c322846e7c9e6929f278e2a2f913cfa090b6aed6152e55c0df292c4e8fb3
- SSDEEP
  
  24576:IBqnTANlmGdVkRCRS/l2oU2N0xBXYse9NgdUA+tzS1N8b5I3ITcv5pMMMkEKWvQU:IQBFCQnN0xBXC9NLx2GSaspMMREKfKL
Score

3^/10
behavioral2
- Target
  
  Orden_NM049300 FERMAXIA.pdf.001
- Size
  
  1.2MB
- MD5
  
  c17880bfc903d02a80f6b80e1abaafb4
- SHA1
  
  6b28c236aca016d67c705b58f3fee69e09ce920b
- SHA256
  
  e375e707631fd52a260161035ef7bf639f1d94338a169c733c6729f73d2eaf8b
- SHA512
  
  56e7e0e1d5c7762ea781c7c402db6c0e248ebe9e3cb0123ce9bafd3858091ec317b3bb750533e725071de107605e7b870c3b7868830ea48400b058bbb96ca06a
- SSDEEP
  
  24576:Bp6YIm4/bYfz3CgmpifFsIEV21zm/WNB0moL5F3ffr50ZQmx5+dxjuhIxq:BpiKLbfFsZ213NB095FHN0yA5w4Ixq
Score

10^/10

agenttesla discovery keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral3
- Target
  
  Orden_NM049300 FERMAXIA.pdf.exe
- Size
  
  139.0MB
- MD5
  
  f401a397d3c7b5a1085b07e0af7ec1f1
- SHA1
  
  595764cfd5c9c3879b67654715cb61e29d96d2f1
- SHA256
  
  6625cf920ee3eff3570c976c4dd2ce2bd603ab7b5982b413f691b931a80df134
- SHA512
  
  f6c83fd9863bd4d90493d6010eb87fe52c04bc564189471ce352660e5041df06704448a55c48864b05c580308adf4df34a608094487e385f1794bc1a1bfec04d
- SSDEEP
  
  24576:Jhl1uwXZu1sz7qxCbNFJoL2Ia0lit0moAp3nadNxkrDKWyD71yClk:Dlow37Lb3JoKIa0DmnnadNae1/lk
Score

10^/10

agenttesla discovery keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral4
- Target
  
  Outlook-Icon
- Size
  
  699B
- MD5
  
  b9b94095f69913212fad8c83a833c03d
- SHA1
  
  d3a104431c79bad961b7ec9c5b06ac4dd5fdb4fc
- SHA256
  
  4b628a711bb7d4dab5f643bf48819e7234d0f2fecf5b5bf96f0577291480f1e3
- SHA512
  
  e6036782d08dcda8a0db9b0ffc1c1c06fcbaa6033e72e72c55f760648f0890f9e1aa6067de933722de87829e4dd6e096dc44a4584ce0a4d267b102aaedc45173
Score

1^/10
behavioral5
- Target
  
  Outlook-j1cm1hfd.png
- Size
  
  28KB
- MD5
  
  5b33d248b42e8e1dd92d247fd37db0c0
- SHA1
  
  01c639d6ea8ab2f0b4370b0075c04459dec80b6c
- SHA256
  
  9a9897fbaa4887c478674dddecd582b99f25e0b143856a91fb2234f9936f304b
- SHA512
  
  433ee78e0e9c42e7ebb38f68995a2a5e68f3047033deadb2529e3c7ce85bf15be07dd01521c21e6c08f2c563d62ba0651c108b1f59bffa3d591e1bc8dab87a1b
- SSDEEP
  
  768:JAIN2axxSq5Uk95KldAexlznu9a3MZyxFmbck4AAq:pMmUqh95KldAMznj3MZyxFof
Score

1^/10
behavioral6
- Target
  
  email-html-2.txt
- Size
  
  9KB
- MD5
  
  772fa21b714bc471a4cd26f58b492a2b
- SHA1
  
  a26911ec7d84044e62cd442a19edd28af95140f5
- SHA256
  
  6e5f6b6f85fa72873074f9347f6888c7bdbd4d4dd598cf1b61bef37c71c6b876
- SHA512
  
  b4b65f171a19b8e1f143c1382665a9d95c236fcfd233887af3d8583eac81b93d0ea21ed34c85ce93f479e99958cb42f0d27030b9b356307dc73ea7c48a91bdc4
- SSDEEP
  
  96:ZEvAx9wQ2lQcQL7KQLnxKQLnKQLFXdDKQLdVgUlSHBamQLSLjKQLVKQMo4oP/ddJ:ZMlQv1nv5FXdNd+UlOBgSLtsywEPic
Score

4^/10

discovery
behavioral7
- Target
  
  email-plain-1.txt
- Size
  
  2KB
- MD5
  
  28917dee795fc079e82349b744c7398e
- SHA1
  
  4ca398c4db7f253f15af492a48e9a0148254bed5
- SHA256
  
  959a47225c3e6b3e6892bc7807c17037cfeb0d7f34689e12b79e1d7cd94b0787
- SHA512
  
  4d3c574c73b7e23a82aaf7611a7f7d977cad708ce071f18f00bdb82920ed170739d0420f077867987b5a5db199d0f8b54aa09c288ec675f782f87db98b816cfb
Score

1^/10
behavioral8

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Agenttesla family

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

AgentTesla

Agenttesla family

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v16

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8