Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

27/12/2022, 14:34

221227-rxqn8afa54 10

27/12/2022, 14:34

221227-rxfh9afa52 10

25/12/2022, 11:46

221225-nxcwksee8w 10

General

  • Target

    agent-tesla.zip

  • Size

    4.9MB

  • Sample

    221227-rxfh9afa52

  • MD5

    b82253158fa3650108349b826ecb840b

  • SHA1

    3c7494f01ee4d6f30fdfe07627ed5ba79dea325e

  • SHA256

    01b10e69f2bf67fdd929c4cb584dd248a71ad447eb460787f9e2ba34129ac4c3

  • SHA512

    566820251c749753f3abc7c5f3e853338b16c3db600f153dbbf1a59a49eb10e893d3b7c6012204793df34821d479a71d16e74e3b49e77666102bb8c8c6dc4657

  • SSDEEP

    98304:mOUfHc0qEAcAD7utsfWtgtQhIUIz/YF4OXirF2zf0dCuJhlKCr1Jf3kZn19Y1fqA:EfvFAcmuda7/YOnFy0LlK+0xq

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5618720367:AAFqeS2K5cBYFRaIBpS6oi_RaSYSI0_A__w/

https://api.telegram.org/bot5932499274:AAFVgY_mSAbCu0fXfBWMuUmyk56JtTf6--Q/

https://api.telegram.org/bot5934477911:AAFE-T4zPYFg9j3dne3DNo28zBQV6eiIuEY/

Targets

    • Target

      1c15539131a4b7a2864bf1cc5744ea213fce23e8b643d2cd00f0a242f4e775b2.exe

    • Size

      1.0MB

    • MD5

      1a5e881a5197cdee0fd2be1af368198a

    • SHA1

      3ff94ebf7ed66aadafa66b28f01f3a4beeadb98c

    • SHA256

      1c15539131a4b7a2864bf1cc5744ea213fce23e8b643d2cd00f0a242f4e775b2

    • SHA512

      8c75be3273a8d8b1043e3e4e2034cd00a8bb33c404ae2441619e16113b24723159a46a6fce4526ae31040e1bd3ee7368340ad7bbbb2fe4d0c9d15d78fdc4ffb2

    • SSDEEP

      12288:attzg2iNNvemxU2Uy49rF+mu3bk0RqV4Ef3JdselFDnw7Vu:QBg1vxUWcIrk0Rqf3Jd1FLIV

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

    • Target

      FedEx EL1870335D online Customer AWB Shipping Advisory AWB Docs.Commercial Invoice. Packing List. Bill of Landing CMS00.exe

    • Size

      883KB

    • MD5

      72c4749f756b5b7341ef425d769d6c74

    • SHA1

      ba3b0faf467c1db173c9aaf37bf69ccb30759ecb

    • SHA256

      a6339dda7fc718e5a77bb3736d1c87e6a8fbc14827525307b3e8f184f02afd48

    • SHA512

      e7b31a35f9d80b4eba17c49f875dfa32d6a6d786bbe3db22de272f6c99eb7aef8d8936d90e82cac7c7da58c34d43fd82a5374544fba5b95c3866287fe642f295

    • SSDEEP

      24576:O1VT1rXpNTgDDQmBMjerErCQtUcCMuy1HzgcK3vJc:OvNTWM4lgAcCMZzgcK3vu

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    • Target

      HSBC_Swift_Copy.pdf.exe

    • Size

      1001KB

    • MD5

      ce3718f0a5cd81530496e4724857b0cb

    • SHA1

      17aca36e82674bd55a48684acc4eef6cd02696b1

    • SHA256

      980572025579ff98c1ab84aa8c0c045e075d174bc5bb166e2694590c98f90a54

    • SHA512

      6f30e90a5b9412a24f9513690cfca60c57f2e615604a12ddb7e355bd80894b7f3a37d8242813c76484a258db588c3df25f193a556284c3408d98c92ae814f724

    • SSDEEP

      12288:bZ+2iN1/Sr+pGrnU9xmh873NdbE9QJKQZdF+LHZnbNFphh26mdOAH8c+9epf+mDG:Q1e+gnU9cOrjEw5Zupbxhh26mlH80q

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      Halkbank_Ekstre_20221222_114527_468568.exe

    • Size

      497KB

    • MD5

      447d145276eef872ff7ff17aece82184

    • SHA1

      770464513653a17210806339a7bd5f51a761f355

    • SHA256

      a4e9eafd0bfcb5db60683b2c37e4a113087a656408b96e2795f94af8aecc20b2

    • SHA512

      cfeee165c61a2a62f13611d7cad57c8bdc9ebe441718953394cf3e200398a5ebb71ffaf7cc427981105f65c3e6fe23d021d32713ce70a76c80e9296fb3572fbf

    • SSDEEP

      6144:ckwKLoJOtJrEx6csI6PVmWVc9fXEna+sSJSYRf7P1cZGllQYbT:7LosV0/3WVc98a+bJLf7PeZG7/

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      SecuriteInfo.com.Win64.RATX-gen.30948.8275.exe

    • Size

      1.1MB

    • MD5

      ff463709d7e429065e6efeb1456281a5

    • SHA1

      43821ebc1f3f3e1b7208314747fdf8527263f363

    • SHA256

      6f05a91cd30498cf1bc9b2e0058f1e3caa18b401b77d0a83b71a6df845430716

    • SHA512

      990efaf520e2bfcf2a42b491e67b9266380d966439e132c40ad0eba28ae9ebaf6448bb538128a38e851be6a6660b04451c75138139e1371ac104540564a07dcd

    • SSDEEP

      12288:SNP57i9RD++rs7j5Dytl7B1ljdOtovwGPVp/n2sS4OIvlxd2UIivOmBgdUYt9flG:Xh7XfPCsS41hbjSCC5Gm6oG+/c

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • UAC bypass

    • Windows security bypass

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Sets service image path in registry

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    • Target

      epTZLp5PyVs2lsz.exe

    • Size

      1.0MB

    • MD5

      e74df11dc99580800c2ab75798fd0e25

    • SHA1

      2b7914bd316d5d22a122d0263acca82e4152532b

    • SHA256

      54080957647575cffb4a2575baac7edf65a4a8d3faac7b133246bae3a1bdb3b9

    • SHA512

      962cf59714314e2f71c9fc45dc9c5940ed678ce25e6a6c33da29f15bc6893e6e0850af25533a6cf067fcfd6d9087de676a710d5a83db18db5f065fe024afe604

    • SSDEEP

      24576:5LZLn1GvvokU/em1X4QaZDQi3/NMSwW8NlK:5tLnU3DU/d9YZDQQNiZzK

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      f227b51c6347b3acf53b8e54e84864c2c3e4ef973226bc517f0f9852dbc1bfcc.exe

    • Size

      1014KB

    • MD5

      26c27aabc7f503c9c77f004f4b909c2b

    • SHA1

      c01b1e1eb7a532539b8626409eec93c5f7e86243

    • SHA256

      f227b51c6347b3acf53b8e54e84864c2c3e4ef973226bc517f0f9852dbc1bfcc

    • SHA512

      0182a98ab6dfec078f24a20972e42d652f8a8acc2ae707aea63c0b30dea97618843affee13de2e8bc772d9d38efd54dc219c7cdceaf2309482381b165e03259f

    • SSDEEP

      12288:Wd4l68YdxM7KcQF8SYyKQiQGarSYSODjyVKSqmtDUHILYacpf+mDXttarruVBDUt:448888KcM86viiLz8KSqeDUHILY9

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      f2335865a426507b47ecf5e37dcae9a3.exe

    • Size

      860KB

    • MD5

      f2335865a426507b47ecf5e37dcae9a3

    • SHA1

      7ccf56c9c48ffc911ac80ddf5240a42c99f83e33

    • SHA256

      57901cf97d0ab4c57f8b4927c75bd8761182b5ddb80d09bb917aab71ae68d7c6

    • SHA512

      67fd0fb2b872446957c570fb3418ee41363b8b0a6362819c36cef81454acadb2892e31dab2f7760a2f848c92b2b61b8ad5012a6781281f6cb009815c9424e208

    • SSDEEP

      24576:EsFdELpCybniAU6cH80ru/71mnMOrYH1ocO:FFdELpCybniAU6Gu/71mndM1jO

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

Score
1/10

behavioral1

agentteslacollectionkeyloggerspywarestealertrojan
Score
10/10

behavioral2

agentteslacollectionkeyloggerspywarestealertrojan
Score
10/10

behavioral3

agentteslacollectionkeyloggerspywarestealertrojan
Score
10/10

behavioral4

agentteslacollectionevasionkeyloggerspywarestealertrojan
Score
10/10

behavioral5

agentteslacollectionevasionkeyloggerspywarestealertrojan
Score
10/10

behavioral6

agentteslacollectionevasionkeyloggerspywarestealertrojan
Score
10/10

behavioral7

agentteslacollectionkeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral8

agentteslacollectionkeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral9

agentteslacollectionkeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral10

agentteslacollectionkeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral11

agentteslacollectionkeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral12

agentteslacollectionkeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral13

agentteslacollectionevasionkeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral14

agentteslacollectionevasionkeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral15

agentteslacollectionevasionkeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral16

agentteslacollectionkeyloggerspywarestealertrojan
Score
10/10

behavioral17

agentteslacollectionkeyloggerspywarestealertrojan
Score
10/10

behavioral18

agentteslacollectionkeyloggerspywarestealertrojan
Score
10/10

behavioral19

agentteslacollectionkeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral20

agentteslacollectionkeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral21

agentteslacollectionkeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral22

agentteslacollectionkeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral23

agentteslacollectionkeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral24

agentteslacollectionkeyloggerpersistencespywarestealertrojan
Score
10/10