Overview

overview

10

Static

static

3

kYyBuIFRcL6U7Fl.exe

windows7-x64

10

kYyBuIFRcL6U7Fl.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bae58a6286d8fb60c1118d8024c0aa7e8e8476405b17d05b68502e6bce5b1fd8.r09

  • Size

    593KB

  • Sample

    240327-c436kaag98

  • MD5

    7802b0eb35cf10723b27f54c862cb0be

  • SHA1

    e215dfb65ee69690739ae9d2cee970dd07d80245

  • SHA256

    bae58a6286d8fb60c1118d8024c0aa7e8e8476405b17d05b68502e6bce5b1fd8

  • SHA512

    55e4361d32ca9f4b28a644b6f280279c176cdf6c0be72884cfac94683b75a26ac73a26a334861792295b7bfdaca4f2542c40511715bd4c84ffdecdb2c47ed42f

  • SSDEEP

    12288:Y0LffZibT48SIYZRqBAI/g0nHzeRUbRAtTbhlt:Yu3ZG48SIaR7I/nHze9hhf

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      kYyBuIFRcL6U7Fl.exe

    • Size

      604KB

    • MD5

      dc6c813e0b5c0adab63e8f6e47d3fb76

    • SHA1

      c9979e87cf35d8563a16bf52ad762c04c89badc9

    • SHA256

      3d6012eb13b5a891571ea2d7c7bf120b9c12d479e5cb2c6ffc7e515e14c46866

    • SHA512

      c3e83b275c6aedbf56fe581b6e5f5b7f9ec33573c460eca63590a33326c08378dd7ea04b1d80807fdfc74738d432adb9b37892a0655aff8611d2e30f4d9f9ef3

    • SSDEEP

      12288:z+E26ddIYd1x66+9GreDc4bRbOpPE6/5kqRQeB0QzauW2a5W:aOwO1mQreDc4lypPp+kQelzauWS

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables packed with SmartAssembly

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks