Overview

overview

10

Static

static

1

Admin_review.exe

windows7-x64

10

Admin_review.exe

windows10-2004-x64

10

Milieubesk...ts.ps1

windows7-x64

8

Milieubesk...ts.ps1

windows10-2004-x64

8

Sharing

Copy URL Twitter E-mail

General

  • Target

    Admin_review.img

  • Size

    1.6MB

  • Sample

    240312-zddvbace73

  • MD5

    bb689caaca966e03d0dd6e376b2e4911

  • SHA1

    795de1e1939b1bf3378b17d8a4cf9bc9a0948035

  • SHA256

    fa25c42ef060630d84ef4cdc0e243696347dce142364724290bdc050567e5cc1

  • SHA512

    342edad3c918aeaedd3299e40e54056810a2b218865ef28061e3e17336263e38bb522658bd7ac3f0c74e1a57ca01ab9d4e858c3d97ff427ff75bc7a50d28195d

  • SSDEEP

    24576:laU/LcNbKqeBSHRbrBL8GGAqf6ZIe1wQiJh:YoLc5KqeiLL8xAqeiJ

Score
10/10
agentteslaguloaderdownloaderkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6819958480:AAF64nySfzv7ChZ37GK6CzqvRMYITD_niTY/

Targets

    • Target

      Admin_review.exe

    • Size

      1.1MB

    • MD5

      e04872ea5f2d4ac14209f5bd7dca3619

    • SHA1

      0880d4667ad5f185c101c658ed4a3c469fac5854

    • SHA256

      52b5af73273bf40ca44592af83d300c7316449ef71f465081f68675f09d0a8d3

    • SHA512

      0275eaf5cb37e2c3767ee5635016dc38a4e901427fdd82dc89850e5fd1eb3865abae54611f6e1881b98204b81ca6fcc13816086652185a6e5bc8a164037e6228

    • SSDEEP

      24576:+aU/LcNbKqeBSHRbrBL8GGAqf6ZIe1wQiJh:XoLc5KqeiLL8xAqeiJ

    Score
    10/10
    guloaderdownloaderagentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      Milieubeskyttelsesreglements.Mil

    • Size

      53KB

    • MD5

      ec433655f4b42b3dc7302984076b881e

    • SHA1

      19a74d051004feff1f3cc9dd013d171cc1bba453

    • SHA256

      bb1b21627fe100fc3249589d9a7397f8eca993d55c7377d5d58f1a01bf6b5b70

    • SHA512

      b0b235985d4f706ae89e54143586edc4941bd400d05815bdc9471e99d145c5c4b8192d3314aab0a7b5a8e16b974fb54c828252c1919a3b1a11b90cf8980b1c91

    • SSDEEP

      768:JOQ7wLa6zs2rAhGgW2sGO/NMrmnlMrR1MS8cOSlFCF3mGeKwTbfyn8M2Uw7aE5ax:57mlrZgwMrR1RrChyLBFxaXx

    Score
    8/10
    persistence

    • Modifies Installed Components in the registry

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks