General

  • Target

    ScriptWare.exe

  • Size

    14MB

  • Sample

    230331-vvm24adc6v

  • MD5

    99d229c373b195c6462976531e10b923

  • SHA1

    fd09b5fd8156d5917e0efa00df6d726a8fa2eb93

  • SHA256

    4836a229a4c4a1a01e23e086d574b115d227d7746da27512d9fc11a364384442

  • SHA512

    c99c2ee48c3b232e3699c39186099eff90bc271657765bf9d8d15ce1334ecd222664407a41f7420b4bf56c792e36216be1ea5a5781a6aa64b484a0532e8ba029

  • SSDEEP

    393216:+cFJi0bdAuKGFrHJ4W9pp/+vMogAuKGFrHJkRAPA7Y1QA/J+jxBKW:xi0bAWAk1QAxmBKW

Malware Config

Targets

    • Target

      ScriptWare.exe

    • Size

      14MB

    • MD5

      99d229c373b195c6462976531e10b923

    • SHA1

      fd09b5fd8156d5917e0efa00df6d726a8fa2eb93

    • SHA256

      4836a229a4c4a1a01e23e086d574b115d227d7746da27512d9fc11a364384442

    • SHA512

      c99c2ee48c3b232e3699c39186099eff90bc271657765bf9d8d15ce1334ecd222664407a41f7420b4bf56c792e36216be1ea5a5781a6aa64b484a0532e8ba029

    • SSDEEP

      393216:+cFJi0bdAuKGFrHJ4W9pp/+vMogAuKGFrHJkRAPA7Y1QA/J+jxBKW:xi0bAWAk1QAxmBKW

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Downloads MZ/PE file

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Tasks