Overview

overview

10

Static

static

1

5b494f1ff9...43.exe

windows7-x64

10

5b494f1ff9...43.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5b494f1ff90dc1d527b8c1b301bdccef380ee9b0bc771486975c1f0075ba9243.exe

  • Size

    686KB

  • Sample

    240328-crhzvsag25

  • MD5

    5d76a9e3a1948a1307330e52cfefd7bb

  • SHA1

    28b7ec354c2d4202278bab3c742eb06f36c56902

  • SHA256

    5b494f1ff90dc1d527b8c1b301bdccef380ee9b0bc771486975c1f0075ba9243

  • SHA512

    5d29d8b0153c21c9d33ea72b9abc50a66324e6291a7ae4ef96d7e284253f774f9f1a75794df859eb0f456c219076f7330b1d1bbdf2ac16c1d6125dcb2c81b376

  • SSDEEP

    12288:RphmU6GDRn/dWA9NhoaFREwZ2+TAjliqMRgYHaNgI9b46IdAK:nNn77hKwZFEkXhogI9blI

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.gosportz.in
  • Port:
    587
  • Username:
    sales@gosportz.in
  • Password:
    Ss@gosportz
  • Email To:
    info.superseal@yandex.com

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.gosportz.in
  • Port:
    587
  • Username:
    sales@gosportz.in
  • Password:
    Ss@gosportz

Targets

    • Target

      5b494f1ff90dc1d527b8c1b301bdccef380ee9b0bc771486975c1f0075ba9243.exe

    • Size

      686KB

    • MD5

      5d76a9e3a1948a1307330e52cfefd7bb

    • SHA1

      28b7ec354c2d4202278bab3c742eb06f36c56902

    • SHA256

      5b494f1ff90dc1d527b8c1b301bdccef380ee9b0bc771486975c1f0075ba9243

    • SHA512

      5d29d8b0153c21c9d33ea72b9abc50a66324e6291a7ae4ef96d7e284253f774f9f1a75794df859eb0f456c219076f7330b1d1bbdf2ac16c1d6125dcb2c81b376

    • SSDEEP

      12288:RphmU6GDRn/dWA9NhoaFREwZ2+TAjliqMRgYHaNgI9b46IdAK:nNn77hKwZFEkXhogI9blI

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables packed with or use KoiVM

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix

Tasks