Overview

overview

10

Static

static

3

e132185374...50.exe

windows7-x64

10

e132185374...50.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e132185374633a035dbe72782fd0350698708b1821607ea463d23fc2d4d10d50

  • Size

    676KB

  • Sample

    240424-cmk9eseb5w

  • MD5

    9796913f8a736a1fb138c7ce52edc5e8

  • SHA1

    3c701218988e73a4f663ae065511fb0fe6a350ff

  • SHA256

    e132185374633a035dbe72782fd0350698708b1821607ea463d23fc2d4d10d50

  • SHA512

    7f644a8441eb12c6f751d287630164a9ca2960ab09860e5f5c8906d950c916852e011286460c036f0864c76d4e423f34f2b8b6adfc057ea57049f1d35468aed4

  • SSDEEP

    12288:4RY4jEM+npfP2dtBJcSnhjwDhAo6qrljR1O/aawFIMGdXiIEpXo+0QPeAnKNLOz5:4RLgpfYvlnxmhNrlF1O8s+mjNCz5

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6898096162:AAFzf90ZkuQ80ZmTP6HPUBE8_1lQzS4JyCI/

Targets

    • Target

      e132185374633a035dbe72782fd0350698708b1821607ea463d23fc2d4d10d50

    • Size

      676KB

    • MD5

      9796913f8a736a1fb138c7ce52edc5e8

    • SHA1

      3c701218988e73a4f663ae065511fb0fe6a350ff

    • SHA256

      e132185374633a035dbe72782fd0350698708b1821607ea463d23fc2d4d10d50

    • SHA512

      7f644a8441eb12c6f751d287630164a9ca2960ab09860e5f5c8906d950c916852e011286460c036f0864c76d4e423f34f2b8b6adfc057ea57049f1d35468aed4

    • SSDEEP

      12288:4RY4jEM+npfP2dtBJcSnhjwDhAo6qrljR1O/aawFIMGdXiIEpXo+0QPeAnKNLOz5:4RLgpfYvlnxmhNrlF1O8s+mjNCz5

    Score
    10/10
    agentteslakeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks