Overview

overview

10

Static

static

BND28384.exe

windows7_x64

10

BND28384.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    BND28384.zip

  • Size

    467KB

  • Sample

    211018-w7666sfbhm

  • MD5

    241882fe80267cfd978612a6c1313cd4

  • SHA1

    6c85454aa96d5bfa6e6b327b5cd00c479d88f0a3

  • SHA256

    0270ccbf19805f0f367437cde61674671fb089dd7349df65b7e1408ac464d1f6

  • SHA512

    fdcbe89370ae6008606a0b4db88dffaac4eb267389714972749b8e5c6108b82368b432c5cee31b4f54900823f6be63ac326e397f825c049d1b609bdb97c38753

Score
10/10
agentteslaevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.westviewcargos.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Choice@@@12345

Targets

    • Target

      BND28384.exe

    • Size

      739KB

    • MD5

      91b12e9726457f2c6ad29b8b27bf7e3c

    • SHA1

      03406222c3cc95e03736a5844e31975b714758dd

    • SHA256

      e4a297a62797d50a37f87d75499be34639395d4791416d2be66c0e3c6a43a8d1

    • SHA512

      8e220ae8c5765fcb4cb65e5d04f4f7c296ecd22d6d81556bc4cf908b66e49210e8139e18b9a82f837870c390388d10f9cea2a575d46b6dc8dc574585500cb907

    Score
    10/10
    agentteslaevasionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks