Overview

overview

10

Static

static

3

9b6287ed08...b7.exe

windows7-x64

10

9b6287ed08...b7.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9b6287ed088ca9a4d43602c95f045bafb0f17214412a749d27a5b2c126c8edb7.exe

  • Size

    668KB

  • Sample

    240328-cyxrladb6y

  • MD5

    b2ebfbb63f7ccdff15e24e4ff801c986

  • SHA1

    584079acf1abc206fca557907ab0c258ebc21a9a

  • SHA256

    9b6287ed088ca9a4d43602c95f045bafb0f17214412a749d27a5b2c126c8edb7

  • SHA512

    dd8d4b655504786999696f2603b915351d2daab578568f8ea181fdb54aa5eb420d2f02937eab6d6649562c243bba5259d26e04a19a0c48b894037a66dc48afe2

  • SSDEEP

    12288:zuLD9C9DaFlVqcwO9kuereZz5WgZtjs1Ux6xdE0Is0JAIActwqk67tjbFRU:zsuMA7O9nZQktjs1+ps0CI1Ox6nRU

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    cp8nl.hyperhost.ua
  • Port:
    587
  • Username:
    royallog@fibraunollc.top
  • Password:
    7213575aceACE@#$
  • Email To:
    royal@fibraunollc.top

Targets

    • Target

      9b6287ed088ca9a4d43602c95f045bafb0f17214412a749d27a5b2c126c8edb7.exe

    • Size

      668KB

    • MD5

      b2ebfbb63f7ccdff15e24e4ff801c986

    • SHA1

      584079acf1abc206fca557907ab0c258ebc21a9a

    • SHA256

      9b6287ed088ca9a4d43602c95f045bafb0f17214412a749d27a5b2c126c8edb7

    • SHA512

      dd8d4b655504786999696f2603b915351d2daab578568f8ea181fdb54aa5eb420d2f02937eab6d6649562c243bba5259d26e04a19a0c48b894037a66dc48afe2

    • SSDEEP

      12288:zuLD9C9DaFlVqcwO9kuereZz5WgZtjs1Ux6xdE0Is0JAIActwqk67tjbFRU:zsuMA7O9nZQktjs1+ps0CI1Ox6nRU

    Score
    10/10
    agentteslakeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables packed with or use KoiVM

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks