Overview

overview

10

Static

static

1

bank slip.exe

windows7-x64

10

bank slip.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    33e4bac12cf6ce80c977b9fbfc4b9d517d020698f349e08938533fc7aea87e17

  • Size

    625KB

  • Sample

    240430-ben5nsga6w

  • MD5

    4c0ab123083e1071c1318dcc35a30ff5

  • SHA1

    5a074c0a859825dda81e63736e90db1b143a89fb

  • SHA256

    33e4bac12cf6ce80c977b9fbfc4b9d517d020698f349e08938533fc7aea87e17

  • SHA512

    531fb9f002757580afd8417ddb198474ae9134739a8fb95924b877fcce5a09a577180a38440e3878889e1fd0283c66ddbbae971d1000983dbef836f522dee0dc

  • SSDEEP

    12288:Lyp+ca7s/uUrJNkI+3+14suaiAjDHIwfD6n7VTLqv5Ipr8FB7s6CO8p8QWZQh:mCs/uEJGu2sumD/fATLfp4FBtZQh

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      bank slip.exe

    • Size

      645KB

    • MD5

      94140263a36560bda39b02fffafce831

    • SHA1

      33f2c75d6d50ba1acaadc92ae64803ecd3ff18ff

    • SHA256

      fb422ed39cbabcab2449fde2224bfa281f4248e08014b4e3a60003842409d7a6

    • SHA512

      2bf7708f475d4e663cea9c81a5198f1afa8f69d8088b84508d88bb25115beeaae116fb52a6c80c65e15be7f826c6616767afd30f27d19c076786edccefac381e

    • SSDEEP

      12288:zuZk4K7sxuUrrN0I+9Vhbb2guOiAjDHIEf9/Q/3LhqvsqDfzltZWYblmeB778Qoo:JsxumrO7cgu4D5fxALhhqDLl9RmeBf

    Score
    10/10
    agentteslakeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks