Overview

overview

10

Static

static

3

new invoice.exe

windows7-x64

10

new invoice.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6e7c9c5b9bb89d26e3ea4897edc8da5bc7aa9f72cf4dad76b156807baf994761.rar

  • Size

    647KB

  • Sample

    240328-cs6gjsda71

  • MD5

    e2abc54082b99499d2cc923fc5a5c3e7

  • SHA1

    a7ff2f9af630f0b459a65e7dc2777e4345a340b0

  • SHA256

    6e7c9c5b9bb89d26e3ea4897edc8da5bc7aa9f72cf4dad76b156807baf994761

  • SHA512

    3824d67f23e7b84398703408c85a1a4d81d00746a1a7e95b74196f485c1bce78e4830c1b02ace74532e7d870c05cf642b0dd348f6b1b8020aef7ddb78ce07a29

  • SSDEEP

    12288:S7KvRYKugcPogf3yCqW0IYrAaQYmfNJ738VW8ewCk13HONElxmwG4MxYY9:S73KBcPogf3bqIY8NJ7MVu5k13HmWxmF

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      new invoice.exe

    • Size

      743KB

    • MD5

      f52a3af798452ba8064246c1c05fca48

    • SHA1

      66327142382aac09b7b954a860a778e8921f3bfc

    • SHA256

      1ed60fc77b07f949a7cc3ced2dd0e0de84ce806a5ebb71d7fc51f31323f2b928

    • SHA512

      8520039308ec25ad01a08395bf875757d060ed4702561c001cd57430a660924afaedee8ac441148fce32562bd68fbecdd9675066842e2091a24800ccaee2fa12

    • SSDEEP

      12288:yBCAygw0Jxx2Nhy5BZvSkFleJSQEiqC1cS7Zx2DRZL6mJ5DTCa0mY:yRj3xky5vFIVqC19ZxsCmXCsY

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables packed with SmartAssembly

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks