user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:MSIL/AgentTesla.KKAA!MTB
Trojan:MSIL/AgentTesla.KKAA!MTB - Windows Defender threat signature analysis

Trojan:MSIL/AgentTesla.KKAA!MTB - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:MSIL/AgentTesla.KKAA!MTB
Classification:
Type:Trojan
Platform:MSIL
Family:AgentTesla
Detection Type:Concrete
Known malware family with identified signatures
Variant:KKAA
Specific signature variant within the malware family
Suffix:!MTB
Detected via machine learning and behavioral analysis
Detection Method:Behavioral
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for .NET (Microsoft Intermediate Language) platform, family AgentTesla

Summary:

This detection identifies AgentTesla, a .NET-based information-stealing trojan. The malware uses various techniques, such as system hooking and abusing legitimate Windows tools (LOLBins), to capture keystrokes, steal credentials from applications, and exfiltrate sensitive data to an attacker.

Severity:
Medium
VDM Static Detection:
Relevant strings associated with this threat:
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
YARA Rule:
rule Trojan_MSIL_AgentTesla_KKAA_2147904768_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Trojan:MSIL/AgentTesla.KKAA!MTB"
        threat_id = "2147904768"
        type = "Trojan"
        platform = "MSIL: .NET intermediate language scripts"
        family = "AgentTesla"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "14"
        strings_accuracy = "High"
    strings:
        $x_2_1 = "SELECT * FROM Win32_Processor" wide //weight: 2
        $x_2_2 = "Win32_NetworkAdapterConfiguration" wide //weight: 2
        $x_2_3 = "IPEnabled" wide //weight: 2
        $x_2_4 = "Win32_BaseBoard" wide //weight: 2
        $x_2_5 = "FormatID: {0}" wide //weight: 2
        $x_2_6 = "Version: 0x{0:X}" wide //weight: 2
        $x_2_7 = "\\Device\\LanmanRedirector\\" wide //weight: 2
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}
Known malware which is associated with this threat:
Filename: e8ae4cc3-dac5-429a-ad46-d51bb0595a38.exe
376365bd19592ce5564fbf9508ed76d0444efc7b6f0c545292f3075b3f10915c
01/12/2025
VirusTotalDownload Sample
Remediation Steps:
Isolate the affected system from the network immediately to prevent data exfiltration. Use an updated endpoint security solution to perform a full scan and remove the threat. Reset all passwords and credentials for any accounts used on the compromised machine.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 01/12/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$