Overview

overview

10

Static

static

shippin docs.exe

windows7-x64

3

shippin docs.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    shippin docs.exe

  • Size

    480KB

  • Sample

    221204-y292zsga6w

  • MD5

    06d253413aa62c1eb72edb9fdc6e2a87

  • SHA1

    a3d8c88b5b9709699c183925ce3ad653491aee9d

  • SHA256

    f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822

  • SHA512

    74eee8077764b41bb10bfdb2f8408af549951abdf9244d0c609de931ba6f847b6653d1088cb4394de875c0f23837b28f712cc4c8161a50d4127206bb669d68bb

  • SSDEEP

    12288:q0aShcx7plNJAYnIKPPfpZlrySug8pG94L3st+s0u5jgbO:q0aSholNJrXdr5ug88ss0s0gEO

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5745656562:AAEWafwrgUiORYk4Z5mN1SY726IYW3inkfw/

Targets

    • Target

      shippin docs.exe

    • Size

      480KB

    • MD5

      06d253413aa62c1eb72edb9fdc6e2a87

    • SHA1

      a3d8c88b5b9709699c183925ce3ad653491aee9d

    • SHA256

      f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822

    • SHA512

      74eee8077764b41bb10bfdb2f8408af549951abdf9244d0c609de931ba6f847b6653d1088cb4394de875c0f23837b28f712cc4c8161a50d4127206bb669d68bb

    • SSDEEP

      12288:q0aShcx7plNJAYnIKPPfpZlrySug8pG94L3st+s0u5jgbO:q0aSholNJrXdr5ug88ss0s0gEO

    Score
    10/10
    agentteslacollectionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Sets service image path in registry

      persistence

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks