Overview

overview

10

Static

static

$35@@#.exe

windows7_x64

10

$35@@#.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    $35@@#.exe

  • Size

    516KB

  • Sample

    210727-6rdwtzlh7n

  • MD5

    fe61f0a471b697d0c381c64eddf3649c

  • SHA1

    bb8575caccc983a10f86de8c86e5e6598b993b27

  • SHA256

    412991e242a1a3b4325e9d22e9158880214f13fd0db68c8509fab47d4f09c9d5

  • SHA512

    6b279820631cd2d86d4e545a18b9dd1cedf81bfe921fbcddb8c042a9f64e2883c75acae047f770e15e4d01d0524f0d6de16de8dcf44428e06b382cfb138f78d0

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot1815802853:AAFwTZ6mRU-UOmcTcCR8glZAAkNmzHpMkL8/sendDocument

Targets

    • Target

      $35@@#.exe

    • Size

      516KB

    • MD5

      fe61f0a471b697d0c381c64eddf3649c

    • SHA1

      bb8575caccc983a10f86de8c86e5e6598b993b27

    • SHA256

      412991e242a1a3b4325e9d22e9158880214f13fd0db68c8509fab47d4f09c9d5

    • SHA512

      6b279820631cd2d86d4e545a18b9dd1cedf81bfe921fbcddb8c042a9f64e2883c75acae047f770e15e4d01d0524f0d6de16de8dcf44428e06b382cfb138f78d0

    Score
    10/10
    agentteslakeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Tasks