Overview

overview

10

Static

static

3

df9cda22ad...b1.exe

windows7-x64

10

df9cda22ad...b1.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    df9cda22adcc6f050ef0efcf8e93248b254d4708a2616b08531911d10b2a1eb1.exe

  • Size

    660KB

  • Sample

    240522-r6b77aeh35

  • MD5

    151f30a098966d3382974b7d05ced991

  • SHA1

    42ad172a0d55c1e71affa18aef0cb9d3d15505f9

  • SHA256

    df9cda22adcc6f050ef0efcf8e93248b254d4708a2616b08531911d10b2a1eb1

  • SHA512

    475d34b9b28011ed85ca84f43da114c080e132b09c5237eb793f6a4cf233eb6460077006dcdd50cddf0de1e33fcc307d4ee9830617711b5f5fb4f5d3630ecde4

  • SSDEEP

    12288:MlYifT4uJoZ0Ez3riLoZZPRi5N1R/XajuYNSdWzkvmvp4HzYUsWKnvrAkW6mg:biVJ80Ezb2oZZPoySgRgmvJUsWcvrAk+

Score
10/10
agentteslaexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      df9cda22adcc6f050ef0efcf8e93248b254d4708a2616b08531911d10b2a1eb1.exe

    • Size

      660KB

    • MD5

      151f30a098966d3382974b7d05ced991

    • SHA1

      42ad172a0d55c1e71affa18aef0cb9d3d15505f9

    • SHA256

      df9cda22adcc6f050ef0efcf8e93248b254d4708a2616b08531911d10b2a1eb1

    • SHA512

      475d34b9b28011ed85ca84f43da114c080e132b09c5237eb793f6a4cf233eb6460077006dcdd50cddf0de1e33fcc307d4ee9830617711b5f5fb4f5d3630ecde4

    • SSDEEP

      12288:MlYifT4uJoZ0Ez3riLoZZPRi5N1R/XajuYNSdWzkvmvp4HzYUsWKnvrAkW6mg:biVJ80Ezb2oZZPoySgRgmvJUsWcvrAk+

    Score
    10/10
    agentteslaexecutionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks