Overview

overview

10

Static

static

3

086a61b8e0...f8.exe

windows7-x64

10

086a61b8e0...f8.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    086a61b8e021002733d2e13242c82ca64d6834ec97343d742fee3c07e27ff9f8.exe

  • Size

    682KB

  • Sample

    240429-bdy89adh7z

  • MD5

    5359c05ea8f32da860c3bc0ca3b1bfea

  • SHA1

    c6be1096c68834b4e3adaaf74d7e88e5a5a9637f

  • SHA256

    086a61b8e021002733d2e13242c82ca64d6834ec97343d742fee3c07e27ff9f8

  • SHA512

    fc165913c8c886c9eb956992228cadf5408c93eeb8eb51cddfaaf6893ae1d9f9614607ecdfa73de5a2b16cea55a524e467e405f2e71820dc405582936b8193d6

  • SSDEEP

    12288:bNgLeFR62plv312Z3Ssqcks4oMfQfLRlqfsbW7GOVlwj6KgFjpNoYRowIa6Rxh3u:LpJ312ZSsqFCLRQfIvO/w2F9HTRoJx

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      086a61b8e021002733d2e13242c82ca64d6834ec97343d742fee3c07e27ff9f8.exe

    • Size

      682KB

    • MD5

      5359c05ea8f32da860c3bc0ca3b1bfea

    • SHA1

      c6be1096c68834b4e3adaaf74d7e88e5a5a9637f

    • SHA256

      086a61b8e021002733d2e13242c82ca64d6834ec97343d742fee3c07e27ff9f8

    • SHA512

      fc165913c8c886c9eb956992228cadf5408c93eeb8eb51cddfaaf6893ae1d9f9614607ecdfa73de5a2b16cea55a524e467e405f2e71820dc405582936b8193d6

    • SSDEEP

      12288:bNgLeFR62plv312Z3Ssqcks4oMfQfLRlqfsbW7GOVlwj6KgFjpNoYRowIa6Rxh3u:LpJ312ZSsqFCLRQfIvO/w2F9HTRoJx

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks