Overview

overview

10

Static

static

3

13c8ddb6f9...b4.exe

windows7-x64

10

13c8ddb6f9...b4.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    13c8ddb6f93accdd2ecf3725d709b438fe1eeb3637e42a2df7e141ec339287b4.exe

  • Size

    687KB

  • Sample

    240329-chfhdafc59

  • MD5

    34e65ca275e94eb01fa9bff73b1a4f99

  • SHA1

    243e7e34ada4e5993c836980e899664a85eaa14b

  • SHA256

    13c8ddb6f93accdd2ecf3725d709b438fe1eeb3637e42a2df7e141ec339287b4

  • SHA512

    1021a5d4f04330b68a15c20427c510ae7c2960e70eb6b40050415bcb8e7f99576cd4264555c7ee879341c9451ea1eeeab56db3c157f73805a9585e1e5aaad9ed

  • SSDEEP

    12288:ig0YOwq+phFjZyzFXvQnUpo0ddzpYIkNbKGQx6GqLBjLH1MtlWlmRvWzfwI:JO7e8F/7NjKIkNbKGwr6WtglWvWD

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      13c8ddb6f93accdd2ecf3725d709b438fe1eeb3637e42a2df7e141ec339287b4.exe

    • Size

      687KB

    • MD5

      34e65ca275e94eb01fa9bff73b1a4f99

    • SHA1

      243e7e34ada4e5993c836980e899664a85eaa14b

    • SHA256

      13c8ddb6f93accdd2ecf3725d709b438fe1eeb3637e42a2df7e141ec339287b4

    • SHA512

      1021a5d4f04330b68a15c20427c510ae7c2960e70eb6b40050415bcb8e7f99576cd4264555c7ee879341c9451ea1eeeab56db3c157f73805a9585e1e5aaad9ed

    • SSDEEP

      12288:ig0YOwq+phFjZyzFXvQnUpo0ddzpYIkNbKGQx6GqLBjLH1MtlWlmRvWzfwI:JO7e8F/7NjKIkNbKGwr6WtglWvWD

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables packed with SmartAssembly

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks