Overview

overview

10

Static

static

3

BANK SLIP.exe

windows7-x64

10

BANK SLIP.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    07b09f1e8c5494e16087c1fdf2c6808f_JaffaCakes118

  • Size

    639KB

  • Sample

    240429-pwt9xaag64

  • MD5

    07b09f1e8c5494e16087c1fdf2c6808f

  • SHA1

    ba38a112f8e0a0a8f2563c7ca2d4159a670afeab

  • SHA256

    95a0540d09fd56f0a71d989e200fd14c6d4735b0333417c38b848f3afa3eab85

  • SHA512

    f042c62a911cdcee3e5ba49e7ed960de937b8193316c710f661091af035aa89e7215558cb264646896239cb9fae851f63900d73b9dc47bfd08a1b38eac59c844

  • SSDEEP

    12288:A2ibYiJ0dCCwy4W+3ChgsLI4n0AZXgneALudtKS00hWbM+0DkAYJEj2g:A1RZgSsLI4nZNdvL0j/VXijr

Score
10/10
agentteslacollectionevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.bestwaylogistics.com.pk
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    bestway786

Targets

    • Target

      BANK SLIP.exe

    • Size

      699KB

    • MD5

      5a4a18b2faa6857e7a4b6a497cd01655

    • SHA1

      e797a6bdc8534679c9a4f0a255c2fc33d213205c

    • SHA256

      3c6245d7313bf3f38f7b4a56fdf95b52d197b17ae6ab8aebc7382b05037251fc

    • SHA512

      4f0a58c3ba7dbce4c5dc29352b6536604980f4677957e449ab161ad3947cda5539b7d3e42d8d82637e7a30cecca138028f5fe84315cac56e6eeb5a052af93cdd

    • SSDEEP

      12288:5WS79vl2iN8v2zv1gOaE+1IhcszI4jyAZP+n2ANuDt2c00Z6bOy0DyQYlExH:B1B2O/yszI4jXFXBB0j/zHm

    Score
    10/10
    agentteslacollectionevasionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • AgentTesla payload

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Accesses Microsoft Outlook profiles

      collection

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

2
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks