Overview

overview

10

Static

static

3

gwOALTMShW0g0JN.exe

windows7-x64

10

gwOALTMShW0g0JN.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    29f792839c38af93ae576b6260ac43e8_JaffaCakes118

  • Size

    559KB

  • Sample

    240329-xgp1msfh55

  • MD5

    29f792839c38af93ae576b6260ac43e8

  • SHA1

    c30645475fdcde42e8bf5211f0948ceccfa678ee

  • SHA256

    7955200ffc3c887f2f0c65bb4b022bd910d6be472e44bdeab4285231b074eb3d

  • SHA512

    cda1b5bee7b127a11e707353f3f94a8d495cc25edca2bde89f70d2c94e9738aedc17f27d3579e51380570a2eb219ae0fa9996a9e8796b883b1d903cd286673dc

  • SSDEEP

    12288:xSs2hAl+aBSRvSDEMwrhoyhtK0r4JM0tyYluw2p8sLxar1Tw:sXAlxY2EMaWyKY4D72p8AarS

Score
10/10
agentteslacollectionevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.polastarline.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    donblack12345

Targets

    • Target

      gwOALTMShW0g0JN.exe

    • Size

      713KB

    • MD5

      707621bacd32d4ab21b17157216d3032

    • SHA1

      2318a47d090ab212c924814da86488130f7d8b2c

    • SHA256

      29286d65248d0005ca9c13110d5563b892150291ff16086b29938050a746251f

    • SHA512

      5dabd58015ea9534e35a43114eb145c4b73e0c2f778ac8b5f0d150e2b58961b49f104b8cca4e07d1ad434ee7903fd987a9b80d72b6b738640629d11d19dcc5d6

    • SSDEEP

      12288:YFhvyUi0gu1EMwvhsyhpK8t4BU+fyuZuwkp8sL3cr13q:YLqUigEMEey604hzkp8UcrA

    Score
    10/10
    agentteslacollectionevasionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla payload

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks