Overview

overview

10

Static

static

SOA.exe

windows7-x64

10

SOA.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    SOA.exe

  • Size

    1.2MB

  • Sample

    230109-ct5lmscg38

  • MD5

    ee6e6a1ea9f172b8246820b3c0820eb7

  • SHA1

    4012d657455af84129d4864162ba1f38b0f000ea

  • SHA256

    132a12a98cc3cc5857d24ddb35c499ec344d2482a8ca101df1630b9be37b11d1

  • SHA512

    cb3687ab8871705043659f79ccb5b99d4dfb3c9b4c14f78a32c68b7e36debc995e40968cf456c6dbedb71d59adc641ac607d68a1ef26e81f4a5abb9fcdedb8a1

  • SSDEEP

    12288:3qCydRWVgDAgRQFl2T6q0KaSkyAfGfpMIoiayEIvK8VcqauUfsixlgw7fUSjEEzQ:acKD00AVam/PHxuF0Vb4vPFrd

Score
10/10
agentteslacollectionevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5962712783:AAFVWYP7zptQlynX_9COtuxYcx3Dl7EnfUQ/

Targets

    • Target

      SOA.exe

    • Size

      1.2MB

    • MD5

      ee6e6a1ea9f172b8246820b3c0820eb7

    • SHA1

      4012d657455af84129d4864162ba1f38b0f000ea

    • SHA256

      132a12a98cc3cc5857d24ddb35c499ec344d2482a8ca101df1630b9be37b11d1

    • SHA512

      cb3687ab8871705043659f79ccb5b99d4dfb3c9b4c14f78a32c68b7e36debc995e40968cf456c6dbedb71d59adc641ac607d68a1ef26e81f4a5abb9fcdedb8a1

    • SSDEEP

      12288:3qCydRWVgDAgRQFl2T6q0KaSkyAfGfpMIoiayEIvK8VcqauUfsixlgw7fUSjEEzQ:acKD00AVam/PHxuF0Vb4vPFrd

    Score
    10/10
    agentteslaevasionkeyloggerpersistencespywarestealertrojancollection

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Sets service image path in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Windows security modification

      evasiontrojan

    • Accesses Microsoft Outlook profiles

      collection

    • Checks whether UAC is enabled

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks