user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:MSIL/AgentTesla.KKAA!MTB
Trojan:MSIL/AgentTesla.KKAA!MTB - Windows Defender threat signature analysis

Trojan:MSIL/AgentTesla.KKAA!MTB - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:MSIL/AgentTesla.KKAA!MTB
Classification:
Type:Trojan
Platform:MSIL
Family:AgentTesla
Detection Type:Concrete
Known malware family with identified signatures
Variant:KKAA
Specific signature variant within the malware family
Suffix:!MTB
Detected via machine learning and behavioral analysis
Detection Method:Behavioral
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for .NET (Microsoft Intermediate Language) platform, family AgentTesla

Summary:

This detection identifies AgentTesla, a .NET-based information-stealing trojan. The malware uses various techniques, such as system hooking and abusing legitimate Windows tools (LOLBins), to capture keystrokes, steal credentials from applications, and exfiltrate sensitive data to an attacker.

Severity:
Medium
VDM Static Detection:
Relevant strings associated with this threat:
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
YARA Rule:
rule Trojan_MSIL_AgentTesla_KKAA_2147904768_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Trojan:MSIL/AgentTesla.KKAA!MTB"
        threat_id = "2147904768"
        type = "Trojan"
        platform = "MSIL: .NET intermediate language scripts"
        family = "AgentTesla"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "14"
        strings_accuracy = "High"
    strings:
        $x_2_1 = "SELECT * FROM Win32_Processor" wide //weight: 2
        $x_2_2 = "Win32_NetworkAdapterConfiguration" wide //weight: 2
        $x_2_3 = "IPEnabled" wide //weight: 2
        $x_2_4 = "Win32_BaseBoard" wide //weight: 2
        $x_2_5 = "FormatID: {0}" wide //weight: 2
        $x_2_6 = "Version: 0x{0:X}" wide //weight: 2
        $x_2_7 = "\\Device\\LanmanRedirector\\" wide //weight: 2
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}
Known malware which is associated with this threat:
Filename: fbb00701ca21983b5245d21a46f1f86b9c89659fca3629bd3514819eb92ea53c
fbb00701ca21983b5245d21a46f1f86b9c89659fca3629bd3514819eb92ea53c
25/05/2026
VirusTotalDownload Sample
Filename: 077cf7e960538d149805bbdd671b81ade5df12e58b66c1bcacdd4380a1711b98
077cf7e960538d149805bbdd671b81ade5df12e58b66c1bcacdd4380a1711b98
25/05/2026
VirusTotalDownload Sample
Filename: 110753d68aee76f03897dbf55014fe5f7af90fca0b0110ba4139ca6b4185ec2a
110753d68aee76f03897dbf55014fe5f7af90fca0b0110ba4139ca6b4185ec2a
25/05/2026
VirusTotalDownload Sample
Filename: Drawing_specification_and_August_PO_#07329.exe
f230118d14a393bc3af4ff150e719f215a2fe7a024734de1c44ce12b987a7706
21/05/2026
VirusTotalDownload Sample
Filename: 96adde04d7845d0bfecccab55b8892383304c0ad9b531aa08deaad632ecbad01
96adde04d7845d0bfecccab55b8892383304c0ad9b531aa08deaad632ecbad01
22/04/2026
VirusTotalDownload Sample
Remediation Steps:
Isolate the affected system from the network immediately to prevent data exfiltration. Use an updated endpoint security solution to perform a full scan and remove the threat. Reset all passwords and credentials for any accounts used on the compromised machine.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 01/12/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$