Overview

overview

10

Static

static

10

hesaphareketi000.exe

windows7_x64

10

hesaphareketi000.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1ef0ca67344f66e073563a6caa7fdc56644bc29c3b8438a26d4339dc78965a92

  • Size

    262KB

  • Sample

    220520-2z96rabcfn

  • MD5

    ce1626d64a916d2093ff7c22743acca7

  • SHA1

    8774b839120047a62df701b6f314a7cfdf265b82

  • SHA256

    1ef0ca67344f66e073563a6caa7fdc56644bc29c3b8438a26d4339dc78965a92

  • SHA512

    2d6ca82be95a18f65561adeecb7c4419ea0ddf150d003205c3f3920a16545a51259d0ded88e8ff66c02ddd1f5f1a56f59de1f1f81c2f67aeeac4b33faf278339

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Targets

    • Target

      hesaphareketi000.exe

    • Size

      721KB

    • MD5

      ee268a8eefbf81ce4c0ca0f6b491c5c4

    • SHA1

      309d1f44e6e341f4bdfbc8b3f3865be5be699c7b

    • SHA256

      63d4079c4844acd28e5a2576ac5a76acb5a6514b588e33d8db2d4f71cec7adbc

    • SHA512

      5d3112c5e84ab9ce99d7d22ab0b977740693481497a3f0cf109305112a6ef4ee19e5deb47ab943b4622ca0a5869a2ac04c6d37ddd36619f09c4c2033b0bed585

    Score
    10/10
    agentteslakeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks