Overview

overview

10

Static

static

DHL_AWB 28...95.exe

windows7-x64

10

DHL_AWB 28...95.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3DFF084B15CE8F39DBBB23B1A0CCAD0634F716CC35218572349ED31D36EFFEC2

  • Size

    329KB

  • Sample

    221123-r1qtdsaa49

  • MD5

    ca065cc2e9663ef334e9d1acd58b7478

  • SHA1

    987618ce3897f8de4f199b84d1ad35e8432eb5b6

  • SHA256

    3dff084b15ce8f39dbbb23b1a0ccad0634f716cc35218572349ed31d36effec2

  • SHA512

    62bf555381736c7c1e95375e455377abf9fb5ca827d40db2cd645bc5f3344f28e199844bd2d10085293cf395bcfb4009a2636afd514d3849529fb87cde53913e

  • SSDEEP

    6144:5sXzfyHVN7CTbT1WWvw6MbtWfLkidIPCbx2EDUfuFiFZWO12/pyEG4/22LMGnjTF:59b7CRzv3QAT6PCbIfuB62/pybBe

Score
10/10
agentteslacollectionevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5705602282:AAFcwBeX9coGMKJeokPZOq06CS7N1H2rCJI/

Targets

    • Target

      DHL_AWB 2870565795/DHL_AWB 2870565795.exe

    • Size

      478KB

    • MD5

      58f6a878d2834fe4ef2748a6ff34da71

    • SHA1

      cd446f562bdb956a358c5230bc9b255356a5565e

    • SHA256

      d2bd7d282670277d1f8f2f569ef18f889a634c11909d9f157d66837a66618717

    • SHA512

      206fd2c9f0ba720e68951a329dd6a1760a474cf5313b05ff355dda9fec49f66f5c02c5ddf469a9f091926890a0345bb43de183e8990a7b47db45d5fe40e3a0b0

    • SSDEEP

      12288:hznTdXs1M6tMy8JRwcM3ykuVu9p8KnZKzz+FWgxh0:9heMGMyCRwcGyz08KZKSW2

    Score
    10/10
    agentteslacollectionevasionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

2
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks