Overview

overview

10

Static

static

3

c2397ab357...60.exe

windows7-x64

10

c2397ab357...60.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c2397ab357eae308b98360110c809e8e63d48d7b8b88449615a5a252354b2c60

  • Size

    745KB

  • Sample

    240328-bpvp7sac25

  • MD5

    a2fae54266cb96924d3a16fef3b39122

  • SHA1

    4b0507361804b6579d80642f3375604690bbf07b

  • SHA256

    c2397ab357eae308b98360110c809e8e63d48d7b8b88449615a5a252354b2c60

  • SHA512

    f94578821bf2755bacd9cb668f8df3554e4a7e7247eca32a3814abab7180d2060ed4a77a76fe12130c1aeba09bf95ac9a3e896ae4681ce2e9cf28951331c81af

  • SSDEEP

    12288:Hdyr89smmxgbHwwTkOk9SmRBR0dn2mL/8iHsbRgTsI0rtAjmaY:Hd+gfawTJatOt2mouGaY

Score
10/10
agentteslaevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot7192961923:AAEu0sYs8DVbOCj8GP81IJlqXCHjJ_Qooak/

Targets

    • Target

      c2397ab357eae308b98360110c809e8e63d48d7b8b88449615a5a252354b2c60

    • Size

      745KB

    • MD5

      a2fae54266cb96924d3a16fef3b39122

    • SHA1

      4b0507361804b6579d80642f3375604690bbf07b

    • SHA256

      c2397ab357eae308b98360110c809e8e63d48d7b8b88449615a5a252354b2c60

    • SHA512

      f94578821bf2755bacd9cb668f8df3554e4a7e7247eca32a3814abab7180d2060ed4a77a76fe12130c1aeba09bf95ac9a3e896ae4681ce2e9cf28951331c81af

    • SSDEEP

      12288:Hdyr89smmxgbHwwTkOk9SmRBR0dn2mL/8iHsbRgTsI0rtAjmaY:Hd+gfawTJatOt2mouGaY

    Score
    10/10
    agentteslaevasionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

      evasiontrojan

    • Checks whether UAC is enabled

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

3
T1562

Disable or Modify Tools

3
T1562.001

Modify Registry

4
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks