Overview

overview

10

Static

static

3

2f1acdeff4...98.exe

windows7-x64

10

2f1acdeff4...98.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6a9b97d6916857f64d90084707de1e00.bin

  • Size

    664KB

  • Sample

    240327-cy1hgsdf7s

  • MD5

    d8894f57bfe3ba2b665d9def7741c71a

  • SHA1

    940e457d7cdc65bc12ab290d2b9b7835289e27f0

  • SHA256

    1f3ebaae5ba347663e2b868be40e1f46591e6d4cdabcb2bb3c0d22e12608e639

  • SHA512

    0246ee7d378de9ac4cd036a2d25847c9fe0a053df8b85048006976aa6b496af8ce55864d9f6a0ef4d5b5d9185ed96239aa020ed0ce7920199f221278ff3347b5

  • SSDEEP

    12288:SBre6MJS7shX9eTYJfSI3w9KNSSqh0Z3z9qHFKKMS+1dlFuuNSpgZJ:SBK5wHiDIfhcZqtMS+1dlFP6gZJ

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      2f1acdeff407a2ddcc16a30e5524e07cc543d45e0df27cc0d6da3722f0f7c998.exe

    • Size

      710KB

    • MD5

      6a9b97d6916857f64d90084707de1e00

    • SHA1

      d28f2fa2bd59bbaff092e752ce755220ed847405

    • SHA256

      2f1acdeff407a2ddcc16a30e5524e07cc543d45e0df27cc0d6da3722f0f7c998

    • SHA512

      46e9f4672c111e1cf3c0eb4774059331209c157b976f5a7f3daf96151eb42d891ee33a2da20196783846635d1aaaa748f86053c0577fccc25b33503a47293539

    • SSDEEP

      12288:s84CMwpreEndxfpO7jweeZzsuA2XVlmocKZ4gnTGOc3or5d57cMLX9cswmy1/A:dreAdppO7E7HXVXc/gnTGOv/SNh

    Score
    10/10
    agentteslakeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks