Overview

overview

10

Static

static

Shipping_D...es.exe

windows7-x64

1

Shipping_D...es.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    12990362FCB5224DFA15ED3A0B2592F92F63E4B2436825F2DEA2C337B7EA1154

  • Size

    519KB

  • Sample

    221123-r2g8msab54

  • MD5

    7df034292eedcf884efd8254629d4fdb

  • SHA1

    cd36134a65a415928ac09aefbcc190cdbeecf211

  • SHA256

    12990362fcb5224dfa15ed3a0b2592f92f63e4b2436825f2dea2c337b7ea1154

  • SHA512

    7e4524c666a87b983720df5382ec1fcec9abf746133ea4a441b6d69141df2b03f43fbe9bf3080796324ca12625c9d60130fbe32ee6fd2877020d638a647305bd

  • SSDEEP

    12288:UB62S7widmbQawQjYGivNeaBeN8OTf1LVpf0q:SS7wiMQaw2YGiTsfV7x

Score
10/10
agentteslaevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5349655878:AAGnMhpzchQYN5RbZ88-w3gvA1SNsxWo7ts/

Targets

    • Target

      Shipping_Document-Invoices/Shipping_Document-Invoices.exe

    • Size

      879KB

    • MD5

      0a077e5e133a8e9a32114df50882d86a

    • SHA1

      b0015c4518867c66c2c57a0ec2db896c22516884

    • SHA256

      aa632ae086499d0662fb4c362e0af726190cd4011b9d8285bcb175651d3d503a

    • SHA512

      9a61d2dcd1c4dafdf5bce2145583570e83a5b1fb8ddbbeb42b077c9de70c4c064b4a9848b4b7249f8e78c1b719354c5645de4e8960b00b0acbffee22758478db

    • SSDEEP

      24576:mHAYCwNaKPGUz7VLGMl/yejKBkj5hmGvvPBcwnM4T:mg9wYKPpzxXikVhmYnBcwMu

    Score
    10/10
    agentteslaevasionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

      evasiontrojan

    • Checks whether UAC is enabled

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

3
T1089

Modify Registry

4
T1112

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks