Overview

overview

10

Static

static

3

d2a44cec8d...a6.exe

windows7-x64

10

d2a44cec8d...a6.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d2a44cec8dbbd996cc4b5780f907f33fd4040c44519653503f4b17f3288149a6.exe

  • Size

    798KB

  • Sample

    240328-c4v5ysdc6y

  • MD5

    fb029eca94061f0186fc8701bdc85c77

  • SHA1

    08231601ad4894e80dc1bd323456ed5e4cacb13c

  • SHA256

    d2a44cec8dbbd996cc4b5780f907f33fd4040c44519653503f4b17f3288149a6

  • SHA512

    f46da4da503d580eb9fb9648141375f1a5c244d6832a7c426d65337d0e7cec6f515ae1ee9a0921002c4d04b99b01b09775ffe8823e9a557f0ff78aee57cf07d4

  • SSDEEP

    12288:R6dum27u49Zr7EwcCiCXZHvyK7m2GtW8rTRpJ9ShOWQ7G/GFH9eo:R6dufltdcCpPyPW8rTRp6I8+deo

Score
10/10
agentteslaevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot7189076260:AAHEL9QuHqQcKXN8kPXNO5BpYSd3XtQOqFg/

Targets

    • Target

      d2a44cec8dbbd996cc4b5780f907f33fd4040c44519653503f4b17f3288149a6.exe

    • Size

      798KB

    • MD5

      fb029eca94061f0186fc8701bdc85c77

    • SHA1

      08231601ad4894e80dc1bd323456ed5e4cacb13c

    • SHA256

      d2a44cec8dbbd996cc4b5780f907f33fd4040c44519653503f4b17f3288149a6

    • SHA512

      f46da4da503d580eb9fb9648141375f1a5c244d6832a7c426d65337d0e7cec6f515ae1ee9a0921002c4d04b99b01b09775ffe8823e9a557f0ff78aee57cf07d4

    • SSDEEP

      12288:R6dum27u49Zr7EwcCiCXZHvyK7m2GtW8rTRpJ9ShOWQ7G/GFH9eo:R6dufltdcCpPyPW8rTRp6I8+deo

    Score
    10/10
    agentteslaevasionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables packed with or use KoiVM

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

      evasiontrojan

    • Checks whether UAC is enabled

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

3
T1562

Disable or Modify Tools

3
T1562.001

Modify Registry

4
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks