Overview

overview

10

Static

static

1

SWIFT Copy...df.vbs

windows7-x64

10

SWIFT Copy...df.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8b3612c35f176d8af044d2aafcea0c0d2306b9f0188a1b06366d06a24fee5406.rar

  • Size

    13KB

  • Sample

    240430-bz8ptage64

  • MD5

    834495aba519d709bb66ec9385dff94e

  • SHA1

    9330dc1a2dc846e967de17e2bf36f60c1d063f75

  • SHA256

    8b3612c35f176d8af044d2aafcea0c0d2306b9f0188a1b06366d06a24fee5406

  • SHA512

    e0b4a806a39418e07c62ba0bd97f0c6ebfeda7231192c7be565aa3596b29359bf7d9b5f9e4dbfc1bf603b56973eb61c2ff2b52e38aa461dcdf40bdcaf3175cab

  • SSDEEP

    192:TYkALlev8SpkAP+HCZfUSMbV1RQHs28KdBYZ7OA0fmWpGNeYeiTNpdP/kcWhlR9/:MkALYRxqCZMTO5dzp5YLBk/hf9KO

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      SWIFT Copy000224042024-pdf.vbs

    • Size

      34KB

    • MD5

      ec0b0c5aca480e26979b6d7dda8cbb14

    • SHA1

      a98b3addf15724c049e1f2e44a071df9e7b0df21

    • SHA256

      d5271109119ab792f4d1adfa7e24979a19fed1b0d13092b78db4114e3e943170

    • SHA512

      b1deee49cd2f74b0c1c651414181e563dcdbd8658573380dc1dc419b5b8962df6f0105387eb0718087b4ac6efcc963fba3ca253c82cef10be4f07a38d986b713

    • SSDEEP

      384:3E/p5dFHavtyX+hCajcYRn9LH/Y7Yzlgv9gufiQSKBq42:U/pRL+hDjcswPv9gyRSKBq42

    Score
    10/10
    agentteslakeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks