Overview

overview

10

Static

static

3

9d694ebad6...f3.exe

windows7-x64

10

9d694ebad6...f3.exe

windows10-2004-x64

10

$PLUGINSDI...ge.dll

windows7-x64

1

$PLUGINSDI...ge.dll

windows10-2004-x64

1

Pseudomorp...ch.ps1

windows7-x64

8

Pseudomorp...ch.ps1

windows10-2004-x64

8

Sharing

Copy URL Twitter E-mail

General

  • Target

    9d694ebad62d4b222e96cafd4f25c758b62d72250c2a280de04f0c4ea014eff3

  • Size

    1.1MB

  • Sample

    240229-b129esad31

  • MD5

    a54ccb6ba28ed4f0338c3c51508012d4

  • SHA1

    4464d73183ce42c61e62a5bfeb3edc2c905fc7de

  • SHA256

    9d694ebad62d4b222e96cafd4f25c758b62d72250c2a280de04f0c4ea014eff3

  • SHA512

    418c3d6b803b8db3df8c778dcb857954107b86435ab313ce053d995e8c89f7e401331cf57f028ce872e600a4cef661d2bcddb8f3a55e5e8f62b2d44e0ce84351

  • SSDEEP

    24576:uIawDTpcxeT2pAdENdCJnCOE9E5FhGpSoDQbEUHx1HMp3ex7O4GMy:Z0C2YyCJvE6cpuQURtuuxzGMy

Score
10/10
agentteslaguloaderdownloaderkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      9d694ebad62d4b222e96cafd4f25c758b62d72250c2a280de04f0c4ea014eff3

    • Size

      1.1MB

    • MD5

      a54ccb6ba28ed4f0338c3c51508012d4

    • SHA1

      4464d73183ce42c61e62a5bfeb3edc2c905fc7de

    • SHA256

      9d694ebad62d4b222e96cafd4f25c758b62d72250c2a280de04f0c4ea014eff3

    • SHA512

      418c3d6b803b8db3df8c778dcb857954107b86435ab313ce053d995e8c89f7e401331cf57f028ce872e600a4cef661d2bcddb8f3a55e5e8f62b2d44e0ce84351

    • SSDEEP

      24576:uIawDTpcxeT2pAdENdCJnCOE9E5FhGpSoDQbEUHx1HMp3ex7O4GMy:Z0C2YyCJvE6cpuQURtuuxzGMy

    Score
    10/10
    guloaderdownloaderagentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/BgImage.dll

    • Size

      7KB

    • MD5

      5ed0696841337a849621abcbb1b12cde

    • SHA1

      c7a27757775c2549705d92381b57057e23d425be

    • SHA256

      3429a7271880c60d8d01025b1bb3e2051454a3cbf94e3bb05be1da9a4f3043fe

    • SHA512

      cd480b7705812948c0bf9b2a414ac9663c6bdc8f98e2039be3dce5c259c4f3fd95544070d1930e644b9dc6bdc09c46775c95ff4e417258f985cd2521285d25a6

    • SSDEEP

      96:CudXZ4BR3SN30izdGcvLhq3SskYuOmHcFVnF8iTkRv2dsnFQfeiCs:Zd+yNlzvLhqis/mcFVn6iTKvYiG2

    Score
    1/10
    behavioral3behavioral4

    • Target

      Pseudomorphine/Rhinoscopic/Amphorous/Breaster/Teach.Dom

    • Size

      57KB

    • MD5

      52350265dabcbaf657c6dfe6b3efea81

    • SHA1

      418863877bcc7d2e3c8723f259645152cee25efe

    • SHA256

      66e9d4294e84cf173fe3b0f1f08d78f9395ee6216d5b74086d8f3c6458f1773c

    • SHA512

      5b71c494a4853dd4092c24956bc5bd27189e5cf7c18766caad5a9e91e138c7c3b9ac54c0c0ec0b3004b2bcc6807bd76442f3ee616df1b21ff6c6cf29ca4a26fa

    • SSDEEP

      1536:8DY0fV6e0T5gmEAB7F6f0rfrLwYBfLkvnM:8DYqzY7F6f0T3wqfLUM

    Score
    8/10
    persistence

    • Modifies Installed Components in the registry

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks