Overview

overview

10

Static

static

FWD_202008...57.exe

windows7_x64

10

FWD_202008...57.exe

windows10-2004_x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d46ccbfb32d6c514c41f244b5bd4f26d58e5f20e3c47ce04e8140d232a4b4e59

  • Size

    531KB

  • Sample

    220521-chntraghhj

  • MD5

    be2cacc9f7d86bde605573d962b42a2d

  • SHA1

    6a30b5cf495c3462c91e8b4e48f9e789d55c7d5f

  • SHA256

    d46ccbfb32d6c514c41f244b5bd4f26d58e5f20e3c47ce04e8140d232a4b4e59

  • SHA512

    7e6d8394478eaa6c9b089d5117ae156eabd0531f279389aed0aa623d9c70860c3c36d0b470e095258c16dc166ebfdaadba9ca9a13a54e211153342b5e77b1cd1

Score
10/10
agentteslaevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    webmail.dragon-pack.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    LYNAHRDt12

Targets

    • Target

      FWD_2020080317368428389989134962381931603322231765263557.exe

    • Size

      730KB

    • MD5

      0d61b4602c75404e9602028386be0b64

    • SHA1

      205e954e6482520aa4b0a83010839d4e2a74a3ad

    • SHA256

      b5f13642aea2fab7e7172b1b93f7d154e80b1675de919b4b7b9f0c5b943ab67e

    • SHA512

      705687cbf0fa908945b7b81252e493a42e26a3fdc0f74b2c9018776399d00b3657218ef3bb280010b6ae9b68937da74681ab0b4c2b2b0c0f5bab3f8e9a789c69

    Score
    10/10
    agentteslaevasionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks