Overview

overview

10

Static

static

1

0eebf72cc9...85.exe

windows7-x64

10

0eebf72cc9...85.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    0eebf72cc9f4ef61a8f3156e1c01ba3925678f75522e494abcde74c3eadc9e85.exe

  • Size

    727KB

  • Sample

    240502-besg4aee63

  • MD5

    baed9ad202abc1a000e4385aa04dde67

  • SHA1

    3b5e2c7d9a8bc85726632e0599ec34f957c41662

  • SHA256

    0eebf72cc9f4ef61a8f3156e1c01ba3925678f75522e494abcde74c3eadc9e85

  • SHA512

    6c02d1f13202ab63aca1f10663bccf281f4afa98956980f24e3f742b71f58dc1b32b7fc7758ec9f9902993be4190989fe1590dc73783fbbdea82b41cdcd491dd

  • SSDEEP

    12288:CxN5ctMuagIYlMtlcPgN8qxYqLy6H237TRcBzeHwu+PSwzJWcJRX0IlfkR:CxN5SMucmMtlc4Kf4BW3XR9Qu+P7yW6

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      0eebf72cc9f4ef61a8f3156e1c01ba3925678f75522e494abcde74c3eadc9e85.exe

    • Size

      727KB

    • MD5

      baed9ad202abc1a000e4385aa04dde67

    • SHA1

      3b5e2c7d9a8bc85726632e0599ec34f957c41662

    • SHA256

      0eebf72cc9f4ef61a8f3156e1c01ba3925678f75522e494abcde74c3eadc9e85

    • SHA512

      6c02d1f13202ab63aca1f10663bccf281f4afa98956980f24e3f742b71f58dc1b32b7fc7758ec9f9902993be4190989fe1590dc73783fbbdea82b41cdcd491dd

    • SSDEEP

      12288:CxN5ctMuagIYlMtlcPgN8qxYqLy6H237TRcBzeHwu+PSwzJWcJRX0IlfkR:CxN5SMucmMtlc4Kf4BW3XR9Qu+P7yW6

    Score
    10/10
    agentteslakeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables packed with SmartAssembly

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks