Overview

overview

10

Static

static

3

TNT Origin...ce.scr

windows7-x64

10

TNT Origin...ce.scr

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2ecbb0f12109e26545d19bc42215b7c6884da48e8f59d5954330e7ecfa290b62.ace

  • Size

    646KB

  • Sample

    240430-bksp2sfh46

  • MD5

    decced6e27ef25192707833a79303b14

  • SHA1

    2c060d737a2a201e6ec80c9a7f602bad80e00893

  • SHA256

    2ecbb0f12109e26545d19bc42215b7c6884da48e8f59d5954330e7ecfa290b62

  • SHA512

    0159f05c156a343ba97e30caff542f62178891408d52a852ac5ec19ece730dd03ab17ab9e7c49293baf2a3ae76cec6816bfcfb882d47c3fe0a967dff23692fd3

  • SSDEEP

    12288:sbib77PywQBHx6FXV6CMEEfGk5BEZn5DbwVAxWPCrG0GaOxo21:sbYi86CMlEZ5XwyW6r+aB21

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5239412158:AAHXn8rC3uvBHy_kv77GtIcxcuvBuXcKD_8/

Targets

    • Target

      TNT Original Invoice.scr

    • Size

      697KB

    • MD5

      4aa63ea35a6a68252888080722f2b403

    • SHA1

      63ecde53df066919f84d35926dbea4efc1610b00

    • SHA256

      8f26ff4683a2d8c5dda6b8aff8c4d6b95ffe97c2432b413e0f8f0a0c16c96d32

    • SHA512

      a36aa7db91c5a98964b9285e85d07b255b4449dfd361ef09d8c4a8239c80adf895756c048f9ddc5ef9e35481a490005ace3aa36d1f93a0d59e80edae50ee8aa3

    • SSDEEP

      12288:2+DbgRB778QekIKVkQv77DBpPMJ3aofMw98A/wR0Q+bnEimiQZWOWiP6ZtZbUqu9:vgRB1HbGHfMv0wR0vEJN6vpR+

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks