Overview

overview

10

Static

static

3

Inquiry.exe

windows7-x64

10

Inquiry.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ba56d12e7e4a9881bf9d8dd6859757ac2df68218b41bc64d38ccad08e5403ac3.z

  • Size

    597KB

  • Sample

    240328-c2dswsdc21

  • MD5

    02c423946b226d33971a98d5fe60ad64

  • SHA1

    9765a64376782be2ec358e5b02dbcf927bf9cacc

  • SHA256

    ba56d12e7e4a9881bf9d8dd6859757ac2df68218b41bc64d38ccad08e5403ac3

  • SHA512

    ec71308ffc5c3b6e60f3f3e04622eae3f1dfe4ecf79e26a9ee3e4d54864763469e176a4bdfbd421ce2ed01653f93da29e346f120e52dbdeb0fdf0ce64d783dee

  • SSDEEP

    12288:q41gdn12cHY7JQVcstzPrH403Q8m+A95p9Mn9RxnvzNhF+F:qhd1mQHtbrY/8zAfp9SRlvzt+F

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      Inquiry.exe

    • Size

      602KB

    • MD5

      cdef16a2a2116cd907aa817b11217cfd

    • SHA1

      d23ba1f017c0e65ba65203c889a2bea963d63d3a

    • SHA256

      da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6

    • SHA512

      9ad7168fd876ceb36229330092f2f70d5a305e9422ff7cc321684c3210ad217a214ed517041f0738eb1a98b977232dcf01d8f8e6a3ca03e3a6261baef94d90ae

    • SSDEEP

      12288:lYyGYZS6ESbpYa4i2BzmVNhsBQN/nRTOPihFr3iUR42q6N:IUDESbwylT/nRKWrPN

    Score
    10/10
    agentteslakeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

    • Detects executables packed with or use KoiVM

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks