Overview

overview

10

Static

static

3

Aviso legal.exe

windows7-x64

7

Aviso legal.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    22052024_1751_22052024_Aviso legal.img

  • Size

    1.4MB

  • Sample

    240522-we54eaah6x

  • MD5

    20d5aee70866285a83d85ff3596a676e

  • SHA1

    fd90e80dddf1750296145511decd2115304dfa67

  • SHA256

    499fb09ef1f251f56311fc4a3d303f38dee434cb0ada4372bb8d0cf291c5ddb3

  • SHA512

    2ffe7c52ae46e2be1e35958d3f9b787d0823170b62a178c3233c77009bff15ccc3a959f7f202b1cf9d4ddb6e04134ef46335bb29fe67c99b69b5abc03d1175e9

  • SSDEEP

    12288:kbBFvUojlMVWIhWL7Uc8Eh8xn8mWpXS0iNrm:kbPvUohIWIhko9xnVWpC

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6994888350:AAFqI19L4KkGo55n9P5XziXuBSULg-rdpEc/

Targets

    • Target

      Aviso legal.exe

    • Size

      821KB

    • MD5

      c7ae7bfda7f71b76c6f3213cfe94529e

    • SHA1

      eebcb778056a8fa9a33255141d70ffac41523caf

    • SHA256

      93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4

    • SHA512

      70326a8b9f6c7d99f82e32f0116b23e2b879bbea3235b03e7510a080ffbbeabc2620b09be4406a2a2b28b62c0679a3ee56e39b7398991693c80da0d84fe43fd2

    • SSDEEP

      12288:8bBFvUojlMVWIhWL7Uc8Eh8xn8mWpXS0iNrmY:8bPvUohIWIhko9xnVWpCH

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      cff85c549d536f651d4fb8387f1976f2

    • SHA1

      d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

    • SHA256

      8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

    • SHA512

      531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

    • SSDEEP

      192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr

    Score
    3/10
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks