Overview

overview

10

Static

static

3

f48bc5d539...f1.exe

windows7-x64

10

f48bc5d539...f1.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f48bc5d53964eaabd32c0dd7a11403b8b259c86331a37bf73b54e47ad6b101f1.exe

  • Size

    656KB

  • Sample

    240424-cgqxqaea9w

  • MD5

    751e78ef16d2d546c1e6695873f1d352

  • SHA1

    42a18e7d7df3c15f30ecefde3e98b0fa31aacdf0

  • SHA256

    f48bc5d53964eaabd32c0dd7a11403b8b259c86331a37bf73b54e47ad6b101f1

  • SHA512

    4eabf5178ec304e560867d2c1f98934855ceba4be7e7b33fd1a40d6324d303a2b8cfd69d493a940ec6962a0937f8adb5d72a7d05d2a8e46342d432ccaef8166b

  • SSDEEP

    12288:6UF9WMJni5vVPF3A9rc24wDu2Hbc02YrRFIAmhNtgMG0:6U2MJi5vVlobfHbiUFaGMT

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      f48bc5d53964eaabd32c0dd7a11403b8b259c86331a37bf73b54e47ad6b101f1.exe

    • Size

      656KB

    • MD5

      751e78ef16d2d546c1e6695873f1d352

    • SHA1

      42a18e7d7df3c15f30ecefde3e98b0fa31aacdf0

    • SHA256

      f48bc5d53964eaabd32c0dd7a11403b8b259c86331a37bf73b54e47ad6b101f1

    • SHA512

      4eabf5178ec304e560867d2c1f98934855ceba4be7e7b33fd1a40d6324d303a2b8cfd69d493a940ec6962a0937f8adb5d72a7d05d2a8e46342d432ccaef8166b

    • SSDEEP

      12288:6UF9WMJni5vVPF3A9rc24wDu2Hbc02YrRFIAmhNtgMG0:6U2MJi5vVlobfHbiUFaGMT

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks