Overview

overview

10

Static

static

3

cfba93a947...77.exe

windows7-x64

10

cfba93a947...77.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    cfba93a9477e61d500f14818cbdf57308ab79cc2ff29ffb89517859bb57e9877.exe

  • Size

    1.1MB

  • Sample

    240509-cgvkxacd7w

  • MD5

    b51437afc0839fd9a676a8f597bb7943

  • SHA1

    f92958eff0a0252baaa3bad70f2f9b392ccc5bb9

  • SHA256

    cfba93a9477e61d500f14818cbdf57308ab79cc2ff29ffb89517859bb57e9877

  • SHA512

    97f736094d97e50c4319925f7e8f8e59d2c14f371b294e9c2a28bc3a7ff2a6395ee04a0b37dcc34c83d46ae6d3ad365fb5e1d5d4b6f1bb92611c27a614cbf3ba

  • SSDEEP

    24576:1KzVtwfumPW2lQxQGFHKj3gBLV/ccVOjEXj39m:1KzVtw2mPB6uj3gL/TOjEBm

Score
10/10
agentteslaevasionexecutionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      cfba93a9477e61d500f14818cbdf57308ab79cc2ff29ffb89517859bb57e9877.exe

    • Size

      1.1MB

    • MD5

      b51437afc0839fd9a676a8f597bb7943

    • SHA1

      f92958eff0a0252baaa3bad70f2f9b392ccc5bb9

    • SHA256

      cfba93a9477e61d500f14818cbdf57308ab79cc2ff29ffb89517859bb57e9877

    • SHA512

      97f736094d97e50c4319925f7e8f8e59d2c14f371b294e9c2a28bc3a7ff2a6395ee04a0b37dcc34c83d46ae6d3ad365fb5e1d5d4b6f1bb92611c27a614cbf3ba

    • SSDEEP

      24576:1KzVtwfumPW2lQxQGFHKj3gBLV/ccVOjEXj39m:1KzVtw2mPB6uj3gL/TOjEBm

    Score
    10/10
    agentteslaevasionexecutionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables packed with or use KoiVM

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

3
T1562

Disable or Modify Tools

3
T1562.001

Modify Registry

5
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks