Overview

overview

10

Static

static

3

23f7673e7c...79.exe

windows7-x64

10

23f7673e7c...79.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    23f7673e7c2c82ad3fc28053b843654f6b8c6001ea61f33c9bb8ecad069d4d79.exe

  • Size

    3.1MB

  • Sample

    240501-bhrpzaeb45

  • MD5

    446de202491c9e236094f393ec6d2e2b

  • SHA1

    bd346858ad56960bf2c859a345095d25ba935edb

  • SHA256

    23f7673e7c2c82ad3fc28053b843654f6b8c6001ea61f33c9bb8ecad069d4d79

  • SHA512

    2a80cb198944f5234dfeedf94b09a1ecfa6e0700a3e26a33d9cb14b00ae017228f571dc4bfd707312aa4531336303de36a3c37cf8f2b0dce2a1695d0ac5e7369

  • SSDEEP

    49152:4zBfc7DCBU8DVHcGwlZFuWUYKcxJ6E4Xw84LLIwrSOpGBNGCh+LBnOZ7mc+KT:4zuwj96KS4gzpn0p9vT

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.kenvue.cam
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    fmreport12345

Targets

    • Target

      23f7673e7c2c82ad3fc28053b843654f6b8c6001ea61f33c9bb8ecad069d4d79.exe

    • Size

      3.1MB

    • MD5

      446de202491c9e236094f393ec6d2e2b

    • SHA1

      bd346858ad56960bf2c859a345095d25ba935edb

    • SHA256

      23f7673e7c2c82ad3fc28053b843654f6b8c6001ea61f33c9bb8ecad069d4d79

    • SHA512

      2a80cb198944f5234dfeedf94b09a1ecfa6e0700a3e26a33d9cb14b00ae017228f571dc4bfd707312aa4531336303de36a3c37cf8f2b0dce2a1695d0ac5e7369

    • SSDEEP

      49152:4zBfc7DCBU8DVHcGwlZFuWUYKcxJ6E4Xw84LLIwrSOpGBNGCh+LBnOZ7mc+KT:4zuwj96KS4gzpn0p9vT

    Score
    10/10
    agentteslakeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

    • Detects executables packed with or use KoiVM

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks