Overview

overview

10

Static

static

1

495b0122-e...af.exe

windows7-x64

10

495b0122-e...af.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    14a7895f66e0cb9c00b477baac4f324c.bin

  • Size

    688KB

  • Sample

    230401-bc995agb9v

  • MD5

    5f5cbcbc03b9afcf14b104db582d6463

  • SHA1

    2322ea4e99ae96bcf87e60bae12994fa5e275ec8

  • SHA256

    6d9d8c3f731a4f557bd3f750f15d7fd5defc0e9a5382744b83f43e98f8e9a1e4

  • SHA512

    1481309cbe3078ae6cbde3adaa105b900377067ff2a2d95cfc22a13a2049a1416ea79295a2b31fffccd30aabf4ec63a5c53765614b45c3163ec3bea2a8431070

  • SSDEEP

    12288:KSNV3N8kIpwQo6RNpt1t6ZkNLV+4hBl4jZ12JjOqfnK57RB7iEgxwbU93q:KNSQoQ3tT24rl4r2Yq/K5dB7iEgxwbl

Score
10/10
agentteslaguloadercollectiondownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.ardsmmm.com
  • Port:
    587
  • Username:
    ebru@ardsmmm.com
  • Password:
    Ard2015**
  • Email To:
    oficinaabonosjuanluca@gmail.com

Targets

    • Target

      495b0122-e196-4271-8992-bc9b22c8a5af.exe

    • Size

      767KB

    • MD5

      b6109aab2d2a51ea0c6f6b28aa2a869a

    • SHA1

      c02f08dea05b56f953b5c724499c552dc7126c4a

    • SHA256

      2abb89507bbcec354ea3293c13851505059ade5b0b6070793cd69e44e01dcceb

    • SHA512

      9651051086d96a83fcbf8cfcd11f2e569a08a905e74deece22756a357594c601be05fa81f9d624c2c6014cf4a5a9ad9ca5a904751faf53d7a0e2dd3870e7b627

    • SSDEEP

      12288:/ghti/pICWSh/cg9E2bCVGpzOH/8/6l0ankiuhSnRTt1q15WkndorDNJcaugJjUJ:4O2ohkgO2Goek00ankzhSpXq15fndorw

    Score
    10/10
    agentteslaguloadercollectiondownloaderkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

      collection

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks