Overview

overview

10

Static

static

1

New order.exe

windows7-x64

10

New order.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3776d381f9fa02fb73eb16f9f104c52adf763e6f97ce2f6c74e655c4115ae851

  • Size

    720KB

  • Sample

    240522-cwlxbahe6v

  • MD5

    865614bb221f8b1ec7a15aa033e2a5ee

  • SHA1

    777d6d5f2decf2716d423c30377a63baa450218d

  • SHA256

    3776d381f9fa02fb73eb16f9f104c52adf763e6f97ce2f6c74e655c4115ae851

  • SHA512

    5356e72a63315d7ce3b6f8544b88daa54b6ff1c7bad7af300591d2d2b8ed63a6be86d15be267987307167f7ca3761a7ceeb8b6c6b244cffe6027c75321de1bd5

  • SSDEEP

    12288:BorbUF3TVSV0+iKMglb0n6Z++yBGENATNiKq/Gk5y0/+tc1uDWTxnUNrGMH:BIbQ3TLTc0n6MJ0gGkg0uQutGMH

Score
10/10
agentteslaexecutionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      New order.exe

    • Size

      763KB

    • MD5

      7dfb952c184cd0e1d8ad2df971a83986

    • SHA1

      a3d2cf69513c7d7ddd020eb11ad40c5ee790fd28

    • SHA256

      658e2f44c6e3a6af989069dc2fc82337c326fe751e037161e1c780c9bc639c4c

    • SHA512

      be9a46365483bdb02751fa4237e08685b3184b23d93f99b039a3f66a0496feeeb8a83ba2cf37a25fda7ca701d44f36f1fd834893be1fdd55d966d360d35ca77c

    • SSDEEP

      12288:yz+I6yWn7fcpVZlu/6uH30nEZ+ym9ENATN9O/P8xGkFp+DjwT8rHDFXVz4X6YG1y:/I698VVY30nEB09YEGkx47hlznI

    Score
    10/10
    agentteslaexecutionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks