Overview

overview

10

Static

static

71a6401ab3...ae.exe

windows7-x64

10

71a6401ab3...ae.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    71a6401ab3cdddf346353e5c03a5b60d086ffa0861f64c355d20bed2374b5bae

  • Size

    876KB

  • Sample

    221206-hf19yscf22

  • MD5

    715c8a340ceb9d32096378bb736872f4

  • SHA1

    6d2e8e0fa231fd780b6e9bf89e54794502caf526

  • SHA256

    71a6401ab3cdddf346353e5c03a5b60d086ffa0861f64c355d20bed2374b5bae

  • SHA512

    cd832af4365369aaa004f8b633653b6bf520ae25e427738b23fb3b887b2c9e1c351cfa056ffeda6613cde9a657f6d5d11ed19ea5f5740a0179436448c6027ab2

  • SSDEEP

    12288:Sz3EEC1Noku3XDG2yxW4j8Z2Py6jcZz6LLWoXhgIscC808ugklx:QDC1NozG2yY4QR6jCqXh5scC808ugo

Score
10/10
agentteslacollectionevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.huiijingco.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    lNLUrZT2

Targets

    • Target

      71a6401ab3cdddf346353e5c03a5b60d086ffa0861f64c355d20bed2374b5bae

    • Size

      876KB

    • MD5

      715c8a340ceb9d32096378bb736872f4

    • SHA1

      6d2e8e0fa231fd780b6e9bf89e54794502caf526

    • SHA256

      71a6401ab3cdddf346353e5c03a5b60d086ffa0861f64c355d20bed2374b5bae

    • SHA512

      cd832af4365369aaa004f8b633653b6bf520ae25e427738b23fb3b887b2c9e1c351cfa056ffeda6613cde9a657f6d5d11ed19ea5f5740a0179436448c6027ab2

    • SSDEEP

      12288:Sz3EEC1Noku3XDG2yxW4j8Z2Py6jcZz6LLWoXhgIscC808ugklx:QDC1NozG2yY4QR6jCqXh5scC808ugo

    Score
    10/10
    agentteslaevasionkeyloggerspywarestealertrojancollection

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla payload

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks