Overview

overview

10

Static

static

invoice.exe

windows7-x64

10

invoice.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    invoice.exe

  • Size

    1.1MB

  • Sample

    221123-rl9yqaca3x

  • MD5

    f683d81b0a64bbd11cf5f21ec12da54c

  • SHA1

    646df1c5b6d45e01e1e042ffe9e46f820ecc5b4c

  • SHA256

    c018bc22c700a8f6e4100b843d3a96b2409d6c215e1062608fd73714236764fd

  • SHA512

    8dc81a8a3df22fdacaf3baa5e8226de0087f9d7a80d9ffd4015b3407e3e534e03027d0b1a5960f25972b995c54ffd52780c9483bdb07cdde17e79a0b3578980c

  • SSDEEP

    24576:PGIGAA2Jim+0u1zHoVXGkQgylZUcHfOVjqdOpd:eGJJhLu1rcGkKd4jqdO

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      invoice.exe

    • Size

      1.1MB

    • MD5

      f683d81b0a64bbd11cf5f21ec12da54c

    • SHA1

      646df1c5b6d45e01e1e042ffe9e46f820ecc5b4c

    • SHA256

      c018bc22c700a8f6e4100b843d3a96b2409d6c215e1062608fd73714236764fd

    • SHA512

      8dc81a8a3df22fdacaf3baa5e8226de0087f9d7a80d9ffd4015b3407e3e534e03027d0b1a5960f25972b995c54ffd52780c9483bdb07cdde17e79a0b3578980c

    • SSDEEP

      24576:PGIGAA2Jim+0u1zHoVXGkQgylZUcHfOVjqdOpd:eGJJhLu1rcGkKd4jqdO

    Score
    10/10
    agentteslacollectionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks