Overview

overview

10

Static

static

1

DHL_AWB_NO...46.exe

windows7-x64

10

DHL_AWB_NO...46.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    DHL_AWB_NO__AWB 4507558646.bin.zip

  • Size

    672KB

  • Sample

    230403-ntvl8afh7w

  • MD5

    7d115acf843dddb094a3b3aa2e5cecb7

  • SHA1

    3dd4e95d6a593b11d40f6b3473d8e884f56adc64

  • SHA256

    2198ce03ea263d93d322f02634c6e7ac3e33d5efaa361b7e1916187168a881fe

  • SHA512

    ae193666fb437c86dd9efd7206ba6f9a5ce13f2c553905d8be8a75df931218246f5b1ddbdf06473bf6e0b9e71ac270ded25fa53b0d1c540de54e6f4e0d6cffb6

  • SSDEEP

    12288:N0rfr22ZANoIgX8CAOXZRawDXmn5d8kYMhRDITgwnxdibLp:W62ZPsCAOpRawDW5WJMrETgwxs

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6191932863:AAEw6WZfMHSbIiilSKsmAnJOgaZwvnoMVh8/

Targets

    • Target

      DHL_AWB_NO__AWB 4507558646.bin

    • Size

      715KB

    • MD5

      f4171a1d0b83927205b24a869405fab5

    • SHA1

      18daf981878dfbca56ff020a94ffd5ff31acb930

    • SHA256

      1035c0af69138d45af1e8a10682c5fe707ac7e4334ea1517744da7ac67dad711

    • SHA512

      997616ea7e75efb36576a909acc45b57f69dfa0e64b7b2c14e9dd2c59d51f97a01f1f405db3010d34fd1ec3d66279bb3c0dae490bc59a70113504f49b34720c9

    • SSDEEP

      12288:P5CBWKdq1FbwwJLwre64jor+JlC6l8w28bQpP9zPQ5roiHn/uLIdlL1myy1GBL:QfrpXaXC6l8wUgloIn/8yy1EL

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks