Overview

overview

10

Static

static

3

INOVICE NO...26.exe

windows7-x64

10

INOVICE NO...26.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c8fddfed5179e57fece9eb60e764418e16b907d9c4784d261d8a43d266df3ccd.lzh

  • Size

    623KB

  • Sample

    240328-c3sy7sba32

  • MD5

    df864f04d12f8cfec6321174816bd997

  • SHA1

    900b011d2d6875a917e5e40d271f86b4171f49c1

  • SHA256

    c8fddfed5179e57fece9eb60e764418e16b907d9c4784d261d8a43d266df3ccd

  • SHA512

    e719b3bd25744f1054a82602fa5371a94b4c5bde1192402d5046a0a249145af7e8987fc30f7a2f3679256042f3b5607a13eb194b6a80ce47396700661a4881ec

  • SSDEEP

    12288:2RT38lnR01DHGf8jrYyepNQwsWeJkXEr5t4vkgsgGs2xLK8TqhMyKa:UrR7QD1OJk0r5t4cH3sLqxa

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.talesur.com
  • Port:
    587
  • Username:
    builder@talesur.com
  • Password:
    gvQwu);oQS*Q
  • Email To:
    result@talesur.com

Targets

    • Target

      INOVICE NO CY-W-24-17-26.exe

    • Size

      714KB

    • MD5

      d57f61c8ca3a73cad73f5cb160d2e1a8

    • SHA1

      62a5c18d4194f1f4bef658fd24cb68a3067537a3

    • SHA256

      bf97d8ee1b61a6699e0a1ff3cda31252cfbd154804673d83dd68b1fee155f953

    • SHA512

      bcb796de15d4519b4d2c6a701bcb1b83bb5fd09d9a04ac31c66a82326d4ecba30bc8bde0dff5a4008b120d3d0642820e60d34264c2cb253ba04e7deb0323d430

    • SSDEEP

      12288:gFoO3mYoQxv9wQNWk9eGwk5Lq8RVDrlYGI/d8FR2ij6QnLkB:ghbhxv9wQNV5e8fGOwQnAB

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables packed with SmartAssembly

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks