Overview

overview

10

Static

static

SecuriteIn...08.exe

windows7-x64

10

SecuriteIn...08.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SecuriteInfo.com.Win64.TrojanX-gen.5439.21008.exe

  • Size

    675KB

  • Sample

    221206-g8cavsbh85

  • MD5

    3b6ca488cd7f00b65b0ccd47ff66043f

  • SHA1

    4132750b8539272420e1534f30ff2f1bf21bd26c

  • SHA256

    7af26d4be02ea118637294df3174174d700125c33a442179cf6786ed96acb6ef

  • SHA512

    faf96e9ea21895bd20651a7c36ec283363c3f1abd965187a3be58f32d7121bb1dfbe1b8aec1ec07cd03b1d31af87bf3dca1d6c5d39fa84db49c7cbfe8b8e8e1c

  • SSDEEP

    12288:emlf9JHHuuaHzXXpStQWjGhwAF6d5iupgw7pfZ9/4tmTsOAG:ZfHH0HzXX0zCF6d5fpNx7/hsO7

Score
10/10
agentteslacollectionevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5705602282:AAFcwBeX9coGMKJeokPZOq06CS7N1H2rCJI/

Targets

    • Target

      SecuriteInfo.com.Win64.TrojanX-gen.5439.21008.exe

    • Size

      675KB

    • MD5

      3b6ca488cd7f00b65b0ccd47ff66043f

    • SHA1

      4132750b8539272420e1534f30ff2f1bf21bd26c

    • SHA256

      7af26d4be02ea118637294df3174174d700125c33a442179cf6786ed96acb6ef

    • SHA512

      faf96e9ea21895bd20651a7c36ec283363c3f1abd965187a3be58f32d7121bb1dfbe1b8aec1ec07cd03b1d31af87bf3dca1d6c5d39fa84db49c7cbfe8b8e8e1c

    • SSDEEP

      12288:emlf9JHHuuaHzXXpStQWjGhwAF6d5iupgw7pfZ9/4tmTsOAG:ZfHH0HzXX0zCF6d5fpNx7/hsO7

    Score
    10/10
    agentteslacollectionevasionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks