Overview

overview

10

Static

static

1

93bd9b640d...1d.exe

windows7-x64

10

93bd9b640d...1d.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    93bd9b640db01eeb79fea8c0b4840ba70d58aa03c2c2274af72e0ee2c838ad1d

  • Size

    719KB

  • Sample

    240426-cny7nshb91

  • MD5

    2913e5ff6130b0bd4dfe91b961342ddc

  • SHA1

    18b716c46e6d8088bcceea6080f5efbc6995f46e

  • SHA256

    93bd9b640db01eeb79fea8c0b4840ba70d58aa03c2c2274af72e0ee2c838ad1d

  • SHA512

    cc99e8485ab20e329533ca83254d00b7045e42ea0877fe05e320cfcbed3b66885e99b73f7cbb84c02fdb35999d4019fbae1810a8e4c52e71f64c91ea4b018562

  • SSDEEP

    12288:IWYIPXjxannnHg2TjQXJ/YmJclIGUX1gjtqGNcSzMq3mttUZgU2f4FVsWnpfkR:IWYIPFannnHg2Q5/Ym9GUFgjmSzMqGrR

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.alitextile.com
  • Port:
    587
  • Username:
    9@alitextile.com
  • Password:
    Myname321@
  • Email To:
    99patrick@alitextile.com

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.alitextile.com
  • Port:
    587
  • Username:
    9@alitextile.com
  • Password:
    Myname321@

Targets

    • Target

      93bd9b640db01eeb79fea8c0b4840ba70d58aa03c2c2274af72e0ee2c838ad1d

    • Size

      719KB

    • MD5

      2913e5ff6130b0bd4dfe91b961342ddc

    • SHA1

      18b716c46e6d8088bcceea6080f5efbc6995f46e

    • SHA256

      93bd9b640db01eeb79fea8c0b4840ba70d58aa03c2c2274af72e0ee2c838ad1d

    • SHA512

      cc99e8485ab20e329533ca83254d00b7045e42ea0877fe05e320cfcbed3b66885e99b73f7cbb84c02fdb35999d4019fbae1810a8e4c52e71f64c91ea4b018562

    • SSDEEP

      12288:IWYIPXjxannnHg2TjQXJ/YmJclIGUX1gjtqGNcSzMq3mttUZgU2f4FVsWnpfkR:IWYIPFannnHg2Q5/Ym9GUFgjmSzMqGrR

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks