Overview

overview

10

Static

static

3

20240328-REV2.exe

windows7-x64

10

20240328-REV2.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    749fe6d590f8ab687cda4bfa897684dbc772e56a54bc4088fe654a079d9cf7ac.rar

  • Size

    583KB

  • Sample

    240427-bt1r1sgb33

  • MD5

    62d3c6b2bb03bc9a4e7a752f6c1b3f69

  • SHA1

    d15a47b2617852c634953e12710b96edc028157e

  • SHA256

    749fe6d590f8ab687cda4bfa897684dbc772e56a54bc4088fe654a079d9cf7ac

  • SHA512

    5822bb5527add969ae784d1969da63230c49abe64c52aed1c8aa596085cc3135b515121ef3c13c709326671bbb42efb4b463288c3ee54988b01205027fcfee10

  • SSDEEP

    12288:twzQ+lgkUhR6Jlcj99vFK53MvcP+SjDPYzrrQY8lOpKGI2msu:tn+lgkQR2cj9pFK5ccBYH0Y8lOpBI2mv

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      20240328-REV2.exe

    • Size

      619KB

    • MD5

      ed1e2fd68e9de44ea4e01c7897f64411

    • SHA1

      a42eb4e6084ac91d1fad3ef9fe01d8d3e9db0c26

    • SHA256

      37109eb42fff729d1786ca4b676167f7acaa918a4abaf3bb465cfed6efa2b134

    • SHA512

      6bef9338609c2d307ace1620d8e8c8a7d2888448b04a259dbd54937aa92255f8805c696558177303e95ebcf74d041d995b392e6084a92f80789d7422d02f7bf1

    • SSDEEP

      12288:gYIPXjyEcoqe8OKZDOZqB8tMX4tVOiaatVSSDc1ow1rxEdex:gYIPuEtq/KoDX4XaaaSo1DUd

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks