Overview

overview

10

Static

static

1

7e5aeae4b1...47.exe

windows7-x64

10

7e5aeae4b1...47.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7e5aeae4b1308c9ae003470343717c1dba150f56448d2730d30509eb81ade747.exe

  • Size

    966KB

  • Sample

    230403-nnvd9sfh5s

  • MD5

    772f41b5b21ec9fb68b8b3805839fb54

  • SHA1

    254f0a4a206195e51ede84b125aa2eb896adcfa2

  • SHA256

    7e5aeae4b1308c9ae003470343717c1dba150f56448d2730d30509eb81ade747

  • SHA512

    43d6eba4403b5b26ea6ff9161c9365b2f6ee280b07f5703e7a35885d2312d412883141059601e01ab62bc35a472760eead667700327932b172b6240bd1595719

  • SSDEEP

    24576:xdMU5fPXiSz0mJTdKBetEHCqu2bBkAbqafC5ZaWyo+gZRf0:xdMUVpFj8U+2BaK5oWybgZRf0

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6096662297:AAG_p__MDOrl-GW8m1_d4KE8lp9LaFVvEfM/

Targets

    • Target

      7e5aeae4b1308c9ae003470343717c1dba150f56448d2730d30509eb81ade747.exe

    • Size

      966KB

    • MD5

      772f41b5b21ec9fb68b8b3805839fb54

    • SHA1

      254f0a4a206195e51ede84b125aa2eb896adcfa2

    • SHA256

      7e5aeae4b1308c9ae003470343717c1dba150f56448d2730d30509eb81ade747

    • SHA512

      43d6eba4403b5b26ea6ff9161c9365b2f6ee280b07f5703e7a35885d2312d412883141059601e01ab62bc35a472760eead667700327932b172b6240bd1595719

    • SSDEEP

      24576:xdMU5fPXiSz0mJTdKBetEHCqu2bBkAbqafC5ZaWyo+gZRf0:xdMUVpFj8U+2BaK5oWybgZRf0

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks