Overview

overview

10

Static

static

5

6c5b8fce7e...98.exe

windows7-x64

10

6c5b8fce7e...98.exe

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6c5b8fce7e9890b91f1ebccc6af95673420f687583b0192797abdb1ce1448098

  • Size

    1.0MB

  • Sample

    240522-atnl1seg53

  • MD5

    92c17a81e538c07a91585e628ce7e9dc

  • SHA1

    a450a89a81163cb2e7921588195b121bc0a4a8d0

  • SHA256

    6c5b8fce7e9890b91f1ebccc6af95673420f687583b0192797abdb1ce1448098

  • SHA512

    e3fd82a7d57005b75756031edeb85f7e5f606164a93928c4b40bc4c2b32436c1a0f0a2ec6a6b9a8d001f959a847668a70d2bdaa88b2d3b3b9b1439557f0b16a7

  • SSDEEP

    24576:oAHnh+eWsN3skA4RV1Hom2KXMmHaEhJ6v3XZ2MES1ekV5:vh+ZkldoPK8YaE36PZFEE

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      6c5b8fce7e9890b91f1ebccc6af95673420f687583b0192797abdb1ce1448098

    • Size

      1.0MB

    • MD5

      92c17a81e538c07a91585e628ce7e9dc

    • SHA1

      a450a89a81163cb2e7921588195b121bc0a4a8d0

    • SHA256

      6c5b8fce7e9890b91f1ebccc6af95673420f687583b0192797abdb1ce1448098

    • SHA512

      e3fd82a7d57005b75756031edeb85f7e5f606164a93928c4b40bc4c2b32436c1a0f0a2ec6a6b9a8d001f959a847668a70d2bdaa88b2d3b3b9b1439557f0b16a7

    • SSDEEP

      24576:oAHnh+eWsN3skA4RV1Hom2KXMmHaEhJ6v3XZ2MES1ekV5:vh+ZkldoPK8YaE36PZFEE

    Score
    10/10
    agentteslakeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks