Overview

overview

10

Static

static

3

1ed60fc77b...28.exe

windows7-x64

10

1ed60fc77b...28.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1ed60fc77b07f949a7cc3ced2dd0e0de84ce806a5ebb71d7fc51f31323f2b928.exe

  • Size

    743KB

  • Sample

    240328-chkgbsae97

  • MD5

    f52a3af798452ba8064246c1c05fca48

  • SHA1

    66327142382aac09b7b954a860a778e8921f3bfc

  • SHA256

    1ed60fc77b07f949a7cc3ced2dd0e0de84ce806a5ebb71d7fc51f31323f2b928

  • SHA512

    8520039308ec25ad01a08395bf875757d060ed4702561c001cd57430a660924afaedee8ac441148fce32562bd68fbecdd9675066842e2091a24800ccaee2fa12

  • SSDEEP

    12288:yBCAygw0Jxx2Nhy5BZvSkFleJSQEiqC1cS7Zx2DRZL6mJ5DTCa0mY:yRj3xky5vFIVqC19ZxsCmXCsY

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    sg3plcpnl0020.prod.sin3.secureserver.net
  • Port:
    587
  • Username:
    electronics@starmech.in
  • Password:
    gaging@2022
  • Email To:
    godwingodwin397@gmail.com

Targets

    • Target

      1ed60fc77b07f949a7cc3ced2dd0e0de84ce806a5ebb71d7fc51f31323f2b928.exe

    • Size

      743KB

    • MD5

      f52a3af798452ba8064246c1c05fca48

    • SHA1

      66327142382aac09b7b954a860a778e8921f3bfc

    • SHA256

      1ed60fc77b07f949a7cc3ced2dd0e0de84ce806a5ebb71d7fc51f31323f2b928

    • SHA512

      8520039308ec25ad01a08395bf875757d060ed4702561c001cd57430a660924afaedee8ac441148fce32562bd68fbecdd9675066842e2091a24800ccaee2fa12

    • SSDEEP

      12288:yBCAygw0Jxx2Nhy5BZvSkFleJSQEiqC1cS7Zx2DRZL6mJ5DTCa0mY:yRj3xky5vFIVqC19ZxsCmXCsY

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables packed with SmartAssembly

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks