Overview

overview

10

Static

static

1

530b019d1e...fc.exe

windows7-x64

10

530b019d1e...fc.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    530b019d1e22535451dbefd997a09c85eeeaa313b114c67ab67329d5fe14e8fc.exe

  • Size

    668KB

  • Sample

    240430-bqsl8sgb55

  • MD5

    1b3feb610357e53c06656f8f084b7fe8

  • SHA1

    135db2eecfdf9ec9f9a0a8ee5efe777e0f68437c

  • SHA256

    530b019d1e22535451dbefd997a09c85eeeaa313b114c67ab67329d5fe14e8fc

  • SHA512

    1773aceba4bcf0ac857a26240d63b0d700cd4a2d56e4984f3c9479653601ff737a438e97b7abc75c640c9a82665092a4d751968b9a90ac25b5f5cc6d86526ff8

  • SSDEEP

    12288:24B778Q+A/y4Zz/LQglOYiZmxjIw3jbOFu5mQf0MiZA+tlEXF4xAKkR:PB1/LMYiZ884guyN3QXF4WJ

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      530b019d1e22535451dbefd997a09c85eeeaa313b114c67ab67329d5fe14e8fc.exe

    • Size

      668KB

    • MD5

      1b3feb610357e53c06656f8f084b7fe8

    • SHA1

      135db2eecfdf9ec9f9a0a8ee5efe777e0f68437c

    • SHA256

      530b019d1e22535451dbefd997a09c85eeeaa313b114c67ab67329d5fe14e8fc

    • SHA512

      1773aceba4bcf0ac857a26240d63b0d700cd4a2d56e4984f3c9479653601ff737a438e97b7abc75c640c9a82665092a4d751968b9a90ac25b5f5cc6d86526ff8

    • SSDEEP

      12288:24B778Q+A/y4Zz/LQglOYiZmxjIw3jbOFu5mQf0MiZA+tlEXF4xAKkR:PB1/LMYiZ884guyN3QXF4WJ

    Score
    10/10
    agentteslakeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks