Overview

overview

10

Static

static

3

da453b1b89...79.exe

windows7-x64

10

da453b1b89...79.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    56d14e3987e9ad35bf1bd23f860bd9b0.bin

  • Size

    669KB

  • Sample

    240327-ct5awade2y

  • MD5

    2e24fbbcf888eca3e467ef173558779e

  • SHA1

    59d353abf924022077ebc8897472ccf493ac6436

  • SHA256

    3b4de02df63eb08ccee4d56a263eaa35031a57505f9adbca675b57508df0ca90

  • SHA512

    c6966143059e3e4b7599629afc36a6288dee05926d9cc22ea6c30aba7e2ec83327c748cbb1f88b17cf19772bd32c894ef0c49c41ff99d59ad94d857ca1ef5708

  • SSDEEP

    12288:sXKdqDnDNJmKc2sraDyZYbUFtxjNPUTyK8/B3dFSsgEYQTOLoIAP7mB8TSA:s6dAbmKc2srMyYwtx5P8ybp3d0HEViLW

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.animetals.com.my
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    8VHMY#KF%kpF

Targets

    • Target

      da453b1b8927be6d7714036b6089a94641f7eafcac495be86d121543d42b4679.exe

    • Size

      714KB

    • MD5

      56d14e3987e9ad35bf1bd23f860bd9b0

    • SHA1

      56d0089f14f78f23c67270036881a052b1e48c4e

    • SHA256

      da453b1b8927be6d7714036b6089a94641f7eafcac495be86d121543d42b4679

    • SHA512

      77f35c7898606bc00f94bf4da8fdc271825ebb612c6138e156be6ad842864fc576d6df11b840ac8aa2377dcefe173377247b6042b012479a413ff0bc3d191cfb

    • SSDEEP

      12288:Q4CMwhob8XQbTa+e5ssnnRLhXPxdWEcfTI7ecBgLGwNsTtmX2NaZBqiA:2obiQPBe5ssnRLNZdyiOhsTgX2NiBq

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

4
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks