Overview

overview

10

Static

static

1

00db117ca0...a3.exe

windows7-x64

10

00db117ca0...a3.exe

windows10-2004-x64

10

Pyrograph/...es.ps1

windows7-x64

8

Pyrograph/...es.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    00db117ca052e69bb2cde67e8fafab75c786c5f064a43537a4cbfcd6a2366ca3

  • Size

    838KB

  • Sample

    240330-bwwk3sea6z

  • MD5

    3487fcccd1544dbabaa2144ab6d5807a

  • SHA1

    ac8d5d7724691faae52f3ab84b42732577b9f7eb

  • SHA256

    00db117ca052e69bb2cde67e8fafab75c786c5f064a43537a4cbfcd6a2366ca3

  • SHA512

    407ee5a94db98c03e8df9fd25f4caa4b70eb8d279b136cb8f65372065f6468a785880f9245c67e385017b0835c7c97f0f5eb248a48e7d887c0824181af5c0757

  • SSDEEP

    12288:5nPdE2I8+NVtZJ4wCI6fndjQ079Y3d5p5mw9:lPdE2j2tZOfaE+Xp3

Score
10/10
agentteslaguloaderdownloaderkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      00db117ca052e69bb2cde67e8fafab75c786c5f064a43537a4cbfcd6a2366ca3

    • Size

      838KB

    • MD5

      3487fcccd1544dbabaa2144ab6d5807a

    • SHA1

      ac8d5d7724691faae52f3ab84b42732577b9f7eb

    • SHA256

      00db117ca052e69bb2cde67e8fafab75c786c5f064a43537a4cbfcd6a2366ca3

    • SHA512

      407ee5a94db98c03e8df9fd25f4caa4b70eb8d279b136cb8f65372065f6468a785880f9245c67e385017b0835c7c97f0f5eb248a48e7d887c0824181af5c0757

    • SSDEEP

      12288:5nPdE2I8+NVtZJ4wCI6fndjQ079Y3d5p5mw9:lPdE2j2tZOfaE+Xp3

    Score
    10/10
    agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      Pyrograph/Perikoner/Intermeasuring199/Skibshandlernes.Ove218

    • Size

      58KB

    • MD5

      161d266563cfa870571bd2a76a200777

    • SHA1

      4dad793c0fc2ff315bd201e80cf414864bea5409

    • SHA256

      33095bc104b3928f5a857d2572be6afe3b9890ae110cd9aaf52ceb6a29e943fd

    • SHA512

      430418fa2d550afd8f616420020c1c3d452488d45ba0d0d1b1a296ecc21eca816810872adce077612f12f88a1130c111560cba48b6286f06fb9ac6305729980a

    • SSDEEP

      768:X7Etn9kgxHh0sMNB7kPM2OdEpivZnGL3tZDPrKY1U4CibG3WCnct7dbmsd5apjk5:tgxHGD7kPLOd0My3vCiGHctn3l8i

    Score
    8/10
    persistence

    • Modifies Installed Components in the registry

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

3
T1012

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks