Overview

overview

10

Static

static

3

a143da5889...6a.exe

windows7-x64

9

a143da5889...6a.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a143da5889aa739a18399bf2d4fe6352191eaa06ed7ef2568dfd57983eaa416a.exe

  • Size

    672KB

  • Sample

    240522-cg2zzsgh35

  • MD5

    1d8c5978c488b34fbbdd7e4f3d004e05

  • SHA1

    78012b122c2005c14fc47074d6dff0b5576bef9d

  • SHA256

    a143da5889aa739a18399bf2d4fe6352191eaa06ed7ef2568dfd57983eaa416a

  • SHA512

    5a319bdb918bf714e88e19527e1aa7f06eb06a3f66938b69e20a338df440cc0fae5f92f4dc2224dd3ddba403f81a5ab58362abe63fa1c6b4e38ec51ab568399e

  • SSDEEP

    12288:urEAmDBPc3B4dcSlcEko2nsCj0CNDtJUy+QzKqWxGf3eb6O0JnWie:krSlcTs+0MULQzKu31zZQ

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.trisquarespl.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    uhzJADD6

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      a143da5889aa739a18399bf2d4fe6352191eaa06ed7ef2568dfd57983eaa416a.exe

    • Size

      672KB

    • MD5

      1d8c5978c488b34fbbdd7e4f3d004e05

    • SHA1

      78012b122c2005c14fc47074d6dff0b5576bef9d

    • SHA256

      a143da5889aa739a18399bf2d4fe6352191eaa06ed7ef2568dfd57983eaa416a

    • SHA512

      5a319bdb918bf714e88e19527e1aa7f06eb06a3f66938b69e20a338df440cc0fae5f92f4dc2224dd3ddba403f81a5ab58362abe63fa1c6b4e38ec51ab568399e

    • SSDEEP

      12288:urEAmDBPc3B4dcSlcEko2nsCj0CNDtJUy+QzKqWxGf3eb6O0JnWie:krSlcTs+0MULQzKu31zZQ

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables packed with or use KoiVM

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix

Tasks