Overview

overview

10

Static

static

SHIPPING A...09.exe

windows7_x64

10

SHIPPING A...09.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SHIPPING ADV#202109.zip

  • Size

    425KB

  • Sample

    210915-jce3zsdbek

  • MD5

    85c5cae427703ebe4021fa8ce265c945

  • SHA1

    6fa39c983e33c49ba52bb54e90df73bb9f99bc96

  • SHA256

    c72743158ad2d3efab41bfc3c76e48d98139a53bb3786379149316b6cfb42f87

  • SHA512

    d3b266008b028df2171a0cd866ff3cd20fa84b762e85ef8cf581027020689f19788c51da327da2d79f9f656193a75f9db4671b4b3d0aa5bfdc882d7a19326a35

Score
10/10
agentteslaevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.bsia.co.in
  • Port:
    587
  • Username:
    yogesh@bsia.co.in
  • Password:
    21mbsia@)@!Y

Targets

    • Target

      SHIPPING ADV#202109.exe

    • Size

      831KB

    • MD5

      db00ed0da0d3e5a11fd18a042c5c0c76

    • SHA1

      6de345db616385f220843d3c566710aa11a64681

    • SHA256

      6674e9af3a42239eaa8455873f2ee7deb83add5bb32b3f40619d9efee701527b

    • SHA512

      920aaf4919aeda252d7516e6c6e5c18af984aa3560fe62d34bb3bf84770b97f4ddfc17ea9829410d6e7faa91d8097408840fa33add292143dda734b9343f36ae

    Score
    10/10
    agentteslaevasionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • AgentTesla Payload

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Tasks