Overview

overview

10

Static

static

3

ba6ca59893...a7.exe

windows7-x64

10

ba6ca59893...a7.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0f9d3f2e7e70b89cb6ff99273f5eebd0ad41298830b56f89a4c8a8cb96ddba2c

  • Size

    617KB

  • Sample

    240417-rv9pbadf2x

  • MD5

    6fc0f4c89170ec596e7f7fcc2c83464e

  • SHA1

    9c0e13125459351a3dfd736d127721f93cc9d46e

  • SHA256

    0f9d3f2e7e70b89cb6ff99273f5eebd0ad41298830b56f89a4c8a8cb96ddba2c

  • SHA512

    425e2a67738dfc8cb1b837b25d534888a6b409dec7bce4670e3ac148e70959f7935cb79720e317f2ec2fb2adff30e7ed7e5d5b8b3423cd438fd8187156f1de0b

  • SSDEEP

    12288:wvAca64MSSDREulHUimwZPcdKheHrz3bELgyeJSuI+Oa:Ka2SS9EulHUihcdKIrfEPuJ

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6449842746:AAH1JUQ2Q5gmTWbMu0YfLR-2V7Z16tz7TzY/

Targets

    • Target

      ba6ca59893666207fcc985056f408e08b82a09e6938a746edb2e769dc47d6ba7.exe

    • Size

      633KB

    • MD5

      ab4a7095947ee160de78ccd158baafc9

    • SHA1

      76e1dccb90382e5772b5651efbf725fd7f3bb317

    • SHA256

      ba6ca59893666207fcc985056f408e08b82a09e6938a746edb2e769dc47d6ba7

    • SHA512

      0769cc39df610c17da050540a713e3d97b6f75b9baddddc84641f89d71ff8ebefaf640256b0af17f5255e256634c06ece6eb3ac76617ff030db1667ebc29f411

    • SSDEEP

      12288:PGxLvnA7dLUvSLR3swp5Ii+gCfDbiT4u1XrR88pHe8tgmROOBaDW:PGx7nA7evCJzoi8MrOiJgr+ay

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks