Overview

overview

10

Static

static

3

5bb5dab4e3...e8.exe

windows7-x64

10

5bb5dab4e3...e8.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5bb5dab4e306d78f20a799afa2b943d5a5a1e4b91252050a76208d22cde932e8.exe

  • Size

    841KB

  • Sample

    240510-br2arsae9x

  • MD5

    75ed7ada6d18a65d8bc94be6f96211c1

  • SHA1

    b5192d012d297f1e939632053a231ec9b63b2c67

  • SHA256

    5bb5dab4e306d78f20a799afa2b943d5a5a1e4b91252050a76208d22cde932e8

  • SHA512

    b75393821360ee51258e608177eefe1209d255488078b58a4d6da503b23f48fb40aa5d5ced8fa2f445b492c698b71b7f82d31da58e3a233fea6f5cce22d7977f

  • SSDEEP

    12288:CfBa4VcKFZCKnOyAucLOvJ5+PrdLX2jzw0qUh5ZE2U38shqhSOS:C5msnNELhzp2j0KS2U38gl

Score
10/10
agentteslaexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    nne dimma080

Targets

    • Target

      5bb5dab4e306d78f20a799afa2b943d5a5a1e4b91252050a76208d22cde932e8.exe

    • Size

      841KB

    • MD5

      75ed7ada6d18a65d8bc94be6f96211c1

    • SHA1

      b5192d012d297f1e939632053a231ec9b63b2c67

    • SHA256

      5bb5dab4e306d78f20a799afa2b943d5a5a1e4b91252050a76208d22cde932e8

    • SHA512

      b75393821360ee51258e608177eefe1209d255488078b58a4d6da503b23f48fb40aa5d5ced8fa2f445b492c698b71b7f82d31da58e3a233fea6f5cce22d7977f

    • SSDEEP

      12288:CfBa4VcKFZCKnOyAucLOvJ5+PrdLX2jzw0qUh5ZE2U38shqhSOS:C5msnNELhzp2j0KS2U38gl

    Score
    10/10
    agentteslaexecutionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks