jamal-soc21/malware-analysis--011--AgentTesla

# malware-analysis--011--AgentTesla ## 🕵️‍♂️ Investigation Report — AgentTesla Analyst: Jamal Mahmoad Date: 2026-05-28 Sample: AgentTesla SHA256: f126a67a8f8b0108fa85b7d9b772a37635446f4067ea50d05024c563507c52ed ## 📌 Summary Trojan 🐴 → Fake program that tricks users and steals access. 📂 Delivered as: Shipping documents.zip (disguised as legitimate). ## 🔎 Detection VirusTotal: 46/68 vendors flagged Classification: Trojan / Dropper Family: AgentTesla ## ⚙️ Behavioral Analysis (MITRE ATT&CK) Execution (TA0002): WMI, Scheduled Tasks, Command/Scripting, Native API, Proxy Execution, Hijack Flow. Persistence (TA0003): Scheduled Tasks, Registry Mods, Boot/Logon Autostart. Privilege Escalation (TA0004): Process Injection, Autostart, Scheduled Tasks. Defense Evasion (TA0005): Obfuscation, Masquerading, Indicator Removal, Sandbox Evasion, Hide Artifacts. Credential Access (TA0006): Dumping, Input Capture, Cookie Theft, Password Stores. Discovery (TA0007): System Info, Registry, Processes, Files, Software. Collection (TA0009): Local Data, Input Capture, Email Collection. Command & Control (TA0011): Application Layer Protocols. Defense Impairment (TA0112): Registry Modification. ## ✅ Conclusion AgentTesla uses Trojan + Dropper capabilities to infiltrate systems, steal credentials, and maintain persistence. Its techniques align with the MITRE ATT&CK framework, showing a full attack chain from execution to C2