Overview

overview

10

Static

static

1

3137663df9...0b.exe

windows7-x64

10

3137663df9...0b.exe

windows10-2004-x64

10

Borteskamo...of.ps1

windows7-x64

8

Borteskamo...of.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7971d20d1b569b51e56f37fc734a1c81.bin

  • Size

    571KB

  • Sample

    240405-bv9rbagd41

  • MD5

    aa719668b1165ed961dc33231b856688

  • SHA1

    122c259fe1c5a9082f8691357c36b18a639d0431

  • SHA256

    545c9b0499ec2a2e5503d72d76954ed020e63a290895cb3fcd4f382a2496b31a

  • SHA512

    aad2592f065e3f02ba9bf85dbc080b05b364524166dfa2cebc68de9d753d51db713f7630c8132bcf32c4240916068893cec727102f32d6789329b0b07d9f8bd7

  • SSDEEP

    12288:tFamtIAtNGMoQabmnknqhTv/U09s/vYbtqDUfasiO76H3M4Ef/x4G58:7ptI+NGMo9mnWqtceAeqDAC3le/xq

Score
10/10
agentteslaguloaderdownloaderkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      3137663df90055b5c2dd92ff91ed1a0edc6965dbd50f83578643c727b36b060b.exe

    • Size

      652KB

    • MD5

      7971d20d1b569b51e56f37fc734a1c81

    • SHA1

      3c1a1fa66cd9890c8e0021853d39ab7b3aefc5c7

    • SHA256

      3137663df90055b5c2dd92ff91ed1a0edc6965dbd50f83578643c727b36b060b

    • SHA512

      6efbec26eebfcaeed965a46ab22f4870fc6fa93d09818c7cf03782f34c8a768b4defa5b9b1f347ef41798df82c725a3f5a402793d977e6d791fe5b857d36c6a4

    • SSDEEP

      12288:nXRAvufNFTr7L/R90rJ2RPBY+K9Yc65vpNpqwDwmuu6TNxFu+i:nXRyUNJr7L30N2RJXKz65vprPqu6hxF+

    Score
    10/10
    agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      Borteskamoteringers/Fridtjof.Bea

    • Size

      58KB

    • MD5

      b747bba9cd5ec658f83a8f004b9ddc9b

    • SHA1

      eb25e589a4de7af6afd91ccaf9c12f30aaf3c67a

    • SHA256

      4fc178d7b0c912917422d5259e796c28f38a765bc3f56fa14df7480b49a0f2f2

    • SHA512

      7e115a0e8cc9b16cd7eeafc6aa6635815763384ab543bb92308c197af849a49e9109f775652151617dc094862313109830091f5d203f582a887595b81b875d9e

    • SSDEEP

      1536:ft7VcOuMK0tpHzCNB2PPEcs2WlyRRpAbeKbKCU:f7QgJzMB2kcs2qHbeKuCU

    Score
    8/10
    persistence

    • Modifies Installed Components in the registry

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks