Overview

overview

10

Static

static

INV-117624...42.exe

windows7-x64

10

INV-117624...42.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    INV-117624 LPO-3642.zip

  • Size

    543KB

  • Sample

    221125-hdggrsca8z

  • MD5

    b2aadf4b50e1db2e775fbc3630468087

  • SHA1

    e3b11d0512ee119928e127a71fa2eadcc0f225b5

  • SHA256

    cfae17dbafecd66a9b4404679670674dc101aa23691a6b54c4e59d937a8bdb84

  • SHA512

    4d22315a5751c40f43d123d9fa4b0c4b902341a84fd51d27c7af5d778cc8013500eb2020040a71df3eac4759caeb8fa67df3849e676201906352aca8d925fe09

  • SSDEEP

    12288:1Td0mBeouIVkCla2mFx+6ZW+rVRSmMywOQk77AsWCFrZO8r55U9sm07BeVu:FOmBeoICr8x+qPvhksRxZJbU9sm07EQ

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      INV-117624 LPO-3642.exe

    • Size

      651KB

    • MD5

      505852f2cd67a14131d2d6e927d92889

    • SHA1

      a7062897a84533c30705eb6667d352c78a43b9f6

    • SHA256

      8e6fe812e3f4a19a51a0978e9c47e2cdb891f1feecb0a7ae2c1eff744c971371

    • SHA512

      49709821545b0fb4e7c12ebee2382258def6f5ad9025c91d1ce28bd02b961d8f7c0aed47d2d1a866d5636643d9f13e5a561c872e06e758af2f2f148180bd7585

    • SSDEEP

      12288:sFTYIvM3zrbETClyHskFgFwIyXCDmVRSmMSwOQkL7AiGSdrZOOP55U9smC7B4s:6dU376CoskFgqIyXxv/kiPpZFbU9smCr

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks