Overview

overview

10

Static

static

3

7ed6e19782...ad.exe

windows7-x64

10

7ed6e19782...ad.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7ed6e1978285b46db8a796f0df455c0843046e117eca2e41231b8dc0231fdfad.exe

  • Size

    983KB

  • Sample

    240430-bxw81agh61

  • MD5

    56d373b5443c15c4f2709ded9aedc848

  • SHA1

    d37b67bb8a6edf795793d10b007ee3fa79745ab8

  • SHA256

    7ed6e1978285b46db8a796f0df455c0843046e117eca2e41231b8dc0231fdfad

  • SHA512

    bdece2e7dd0739fde11288b5e2b833bf5f77bcfaea4ab106d43ded1c733bbeca64941603d630fd3d1179c548ec679cf5e7baea5c62f837b1f9be5fbd4961b35c

  • SSDEEP

    12288:utqItUpkwHobEdEufPj9JBnuMOlk0P7E/fjhfrLns+7vhKY+mzbvDh:kBtzwHobQEgPNwkKs7hfHnN7vhKmzTd

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.tabcoeng.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    TaSq3365!

Targets

    • Target

      7ed6e1978285b46db8a796f0df455c0843046e117eca2e41231b8dc0231fdfad.exe

    • Size

      983KB

    • MD5

      56d373b5443c15c4f2709ded9aedc848

    • SHA1

      d37b67bb8a6edf795793d10b007ee3fa79745ab8

    • SHA256

      7ed6e1978285b46db8a796f0df455c0843046e117eca2e41231b8dc0231fdfad

    • SHA512

      bdece2e7dd0739fde11288b5e2b833bf5f77bcfaea4ab106d43ded1c733bbeca64941603d630fd3d1179c548ec679cf5e7baea5c62f837b1f9be5fbd4961b35c

    • SSDEEP

      12288:utqItUpkwHobEdEufPj9JBnuMOlk0P7E/fjhfrLns+7vhKY+mzbvDh:kBtzwHobQEgPNwkKs7hfHnN7vhKmzTd

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1
T1064

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Scripting

1
T1064

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks