Overview

overview

10

Static

static

UwA4VF8Q47llTPK.exe

windows7-x64

10

UwA4VF8Q47llTPK.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    payment slip.r00

  • Size

    584KB

  • Sample

    221003-qbdl4agec2

  • MD5

    e62b5a4927820056839c68f5db1d35c2

  • SHA1

    542bfb630ba62834dab970a345ab68908bfc1969

  • SHA256

    8f9939c5f5893ef25709627e398f9f07320b4e7613044f0ae61085d2c23c336a

  • SHA512

    14e3f3684efbf4bcfe1ac2dc1c10cc64b9c4c7a9673e44868f104ed5ecca1bf53076742c34ee5003cb02ea08f27cd2c98085ddcb6e700e88004b7d8ba3746a56

  • SSDEEP

    12288:H0Vx2q159A3dwOP0XYEew5+kj1pMb1WV3ZMNlbkRXwlH4/cgA6QjJ:+xvybEew5+kq1WVJMNlbkVwCzuJ

Score
10/10
agentteslacollectionevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5380301623:AAEiiAoD9x5hD8Dpz7EhZFXpW2UQGzFYtzs/sendDocument

Targets

    • Target

      UwA4VF8Q47llTPK.exe

    • Size

      885KB

    • MD5

      635810567724d851329c7b597084cb25

    • SHA1

      82b1b648692329bb6e9717a70c4be861517a1585

    • SHA256

      1ef16af3f7642ec03539fa7601a95f6576a196d6dc7790a09389d461f91a14b3

    • SHA512

      f7585deb4a8b62a81fe0ee391c9cdb917df90bd463c4be1690c5f17c6563e5842b3787d6023d3c19024b6e281d55bf5ff2f03d2211caf034efca6e3ee5588e80

    • SSDEEP

      12288:MK4HTNPbUpS2QNS1BYBy8QYaLSbcDlPeBpj6znilkSj9pcVHfJhm3rKn:WT26S1BYByddHhApZ9pcVRo3m

    Score
    10/10
    agentteslacollectionevasionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

2
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks