Overview

overview

10

Static

static

3

WZAgent.exe

windows7-x64

10

WZAgent.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    240219-dsgc4aha8w_pw_infected.zip

  • Size

    9.6MB

  • Sample

    240521-19x4hacc2t

  • MD5

    94383650d3f84765d1bb592fc4fe43f4

  • SHA1

    eb53c3e4b66ff46b253ad04d02d367dcdd5445df

  • SHA256

    3339684c5ea9d82228af499585907e9eab5a99ecaf9fda63518fa112ba394527

  • SHA512

    75525736a528a2e733873e74fb9330bc72084162bfdc5db79bc4f5d80b6d00ee629163f2bcd4219d79a6eaf1560e7df79f0c56593fff74ffb6fb7354e3a17881

  • SSDEEP

    196608:4TCgVjt/t+zdHIrBlaKfZcPxhe7EBCMjocOxtlO+QLAdc:6VjNYz8tm5C8kxL36

Score
10/10
agentteslaagilenetevasionkeyloggerspywarestealerthemidatrojan

Malware Config

Targets

    • Target

      WZAgent.exe

    • Size

      9.4MB

    • MD5

      86137e9ed8313472f22f6e523d8ad219

    • SHA1

      49e66323a9ad23e49569edfb0f4ca2d3c67ef61b

    • SHA256

      e25599248cbab0ee17db46769aefac345098d9a066192f89c0072a38c726f50a

    • SHA512

      f06d574d3a5040303ef9a246a73163675169f8e5086835279a376ab14442f3f38afe70ea31fc68357845e28e3872e94e9b8f67694a3b6fc288d5b85d7d2975d6

    • SSDEEP

      196608:/ntsxE5JupJ6XmXIY3AmEXxeA32ngfgZ5Kv+yWGqL+aewN8L:/nts+Upam4OAmEXn4Z5C+RLN

    Score
    10/10
    agentteslaagilenetevasionkeyloggerspywarestealerthemidatrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks