Overview

overview

10

Static

static

3

Bank advice.exe

windows7-x64

10

Bank advice.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    21052024150120052024Bankadvice.zip

  • Size

    736KB

  • Sample

    240522-wft3jaah8w

  • MD5

    c0413610fee91cee47dd38e8a2e74de3

  • SHA1

    b39461d4c91f1e53c2ee69cb78425191b2bbda76

  • SHA256

    dbaac700c20350233de18c80359a1d21ceb144fbc6acf7453332950874b9117f

  • SHA512

    c103b64e02b0ee87e77e584569c5ff01550645c5432ad92dd24c7aa41a395ac9e923c10700e3854c485fe3f3f942654a55aaa111e6c7eab8b9836e373aa852a4

  • SSDEEP

    12288:DEUKB9Ii+7zcc11TVUrDKor/QQFnowXPu/EuKm+k6m6310LKDBWk:AUKBei+7z3TVUnfr/QnwXPutx+kZ6313

Score
10/10
agentteslaexecutionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.asplparts.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    CPMWkhyu7=b8

Targets

    • Target

      Bank advice.exe

    • Size

      817KB

    • MD5

      35dad19fa73688a3ef7fc6c516a36c6d

    • SHA1

      68cd1c02c145a4f485fb05f13b7020c8ab927b70

    • SHA256

      29e6828ef675a6d58d449cc71f68897baa9c6e17d2c11286f14a8a7d8a67d6f3

    • SHA512

      a464b8a73ee75c7eb612490beba1c858de48902cbf2d3911c76494debdc1b8b3c69f5f7b210ecc3d549944cf5796f445c8d2344c8e08ce8a2678595c037057d8

    • SSDEEP

      12288:e8FC7WET/mr9KWFv8cc1dYlNXklEGQQFnoy1Pe/WeKm+0fP9PE2hk4o8umqjAxYn:iWtTv8slNGEGQjy1PeBx+0

    Score
    10/10
    agentteslaexecutionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks