Overview

overview

10

Static

static

8

grace.exe

windows7_x64

10

grace.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    35578304585f5d4ab8a08c8c4132a357a1630b4f47123a971c0950945a8069e1

  • Size

    680KB

  • Sample

    220619-wjbqcsffbr

  • MD5

    ca7556eeba02e7eb040af1e988220117

  • SHA1

    a58732339569e567f8bdc4bfa27d442b9fb98089

  • SHA256

    35578304585f5d4ab8a08c8c4132a357a1630b4f47123a971c0950945a8069e1

  • SHA512

    64f11cc735e71ec2b124250f41e13649bd0b0cc60aa265f7d63887c8fe8a5e89b0c2d2b6502fac992a1d9ad599ed4f72a2157f645cd912cd80154deb68ceb4f9

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojanupx

Malware Config

Targets

    • Target

      grace.exe

    • Size

      750KB

    • MD5

      dd45870570b5eeabe6ecec62a093fced

    • SHA1

      c6364fe561cd82f0ac20d6beb23655b188c7d2f4

    • SHA256

      8cdc238ef7df045b66f34ff099f05f4bbf42a6d262b0f3cf6a224a2ea95f4505

    • SHA512

      3ede737c03ee4f2d67e30390726ad6359842a6aa59e6e8d9c56d89fd0bb45e865162fcbcfc41a78c2da56325d8fa88156c32ddc1f592eac78b3ee7199db43dbc

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojanupx

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks