Overview

overview

10

Static

static

3

fab9809b4f...6a.exe

windows7-x64

10

fab9809b4f...6a.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL Twitter E-mail

General

  • Target

    fab9809b4f04191f935e53c298de6a0d0c23e4d2589fc60a2e06c5735f70866a.exe

  • Size

    343KB

  • Sample

    240511-cgq8gshg87

  • MD5

    3de33761d18c33ebbf8e9d0d8f17aab1

  • SHA1

    f62a08e7b8a49fb51b7a19b56462ed74a6489cde

  • SHA256

    fab9809b4f04191f935e53c298de6a0d0c23e4d2589fc60a2e06c5735f70866a

  • SHA512

    e3b91ec66d2471e4b5ab1c1a64a20c59dac1fba911c06c18b59722d7d808572e0d9951a03eb2f4aad797920bfc433e199fcfff71c81eb64d06aa67473f393dcd

  • SSDEEP

    6144:O/c/43APFfobmbCkegPds+3F6O3MOLS29SIcBj7XQkjjMPEqDSGgS:OR3efobm+Quy4O3PO2cIcd73jMPEqDSc

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      fab9809b4f04191f935e53c298de6a0d0c23e4d2589fc60a2e06c5735f70866a.exe

    • Size

      343KB

    • MD5

      3de33761d18c33ebbf8e9d0d8f17aab1

    • SHA1

      f62a08e7b8a49fb51b7a19b56462ed74a6489cde

    • SHA256

      fab9809b4f04191f935e53c298de6a0d0c23e4d2589fc60a2e06c5735f70866a

    • SHA512

      e3b91ec66d2471e4b5ab1c1a64a20c59dac1fba911c06c18b59722d7d808572e0d9951a03eb2f4aad797920bfc433e199fcfff71c81eb64d06aa67473f393dcd

    • SSDEEP

      6144:O/c/43APFfobmbCkegPds+3F6O3MOLS29SIcBj7XQkjjMPEqDSGgS:OR3efobm+Quy4O3PO2cIcd73jMPEqDSc

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      d6f54d2cefdf58836805796f55bfc846

    • SHA1

      b980addc1a755b968dd5799179d3b4f1c2de9d2d

    • SHA256

      f917aef484d1fbb4d723b2e2d3045cb6f5f664e61fbb3d5c577bd1c215de55d9

    • SHA512

      ce67da936a93d46ef7e81abc8276787c82fd844c03630ba18afc3528c7e420c3228bfe82aeda083bb719f2d1314afae913362abd1e220cb364606519690d45db

    • SSDEEP

      192:acA1YOTDExj7EFrYCT4E8y3hoSdtTgwF43E7QbGPXI9uIc6w79Mw:RR7SrtTv53tdtTgwF4SQbGPX36wJMw

    Score
    3/10
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks