Overview

overview

10

Static

static

3

54924f638e...e1.exe

windows7-x64

10

54924f638e...e1.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3b7f0af501e6084cecdae2e5a0b74b69.bin

  • Size

    381KB

  • Sample

    230506-1aa5pafh98

  • MD5

    3b7f0af501e6084cecdae2e5a0b74b69

  • SHA1

    24faebfb6018144c67e689fc131ca9f5c6c94966

  • SHA256

    924eafdbcc88066c909b46f8394a3619439a09015c3c416e809fc6f346499e0e

  • SHA512

    48c4b0b2c7114c5921b9f12acd64f6c6797bf5b6e48e02f942d27870a7351a19400803c97841ae5eed3299e13bbdbbf8f908756035eb45fb2606e699b9da5914

  • SSDEEP

    6144:NWwmYkWlcKGujjyND3E+nchQrFZDwm2ByfWbboVrs7Eurvo5vBo7azb13my7A9HU:NRmk9GejiEqFZt2I+boVrs7EurQqOlWC

Score
10/10
agentteslaredlinecollectionevasioninfostealerkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      54924f638edfc6109b34be64a3d61ee59bb2105022e40f9a05d52cbc07f580e1.exe

    • Size

      486KB

    • MD5

      720cef1e3fdca858b0c73237c7a91fe9

    • SHA1

      a2dd0980f7086534127ac965a227cc9ea727fd74

    • SHA256

      54924f638edfc6109b34be64a3d61ee59bb2105022e40f9a05d52cbc07f580e1

    • SHA512

      6aec220cdff1727743a0fdf02110c5ca505b3176e83ee0e3a90bd933ca769337347af62e726db62574cc6c7958b8b5fb233299886fee649affc836077264d952

    • SSDEEP

      12288:0EBQ0y7fn4Ijupj1oDcDFYzXqoGMX0LK6Qd:YCFI8opV6S

    Score
    10/10
    agentteslacollectionevasionkeyloggerpersistencespywarestealertrojanredlineinfostealer

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detects Redline Stealer samples

      This rule detects the presence of Redline Stealer samples based on their unique strings.

      stealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks