Overview

overview

10

Static

static

3

2b438a5f6c...d8.exe

windows7-x64

9

2b438a5f6c...d8.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2b438a5f6c0d8a371a194fdb7c57511862fa8569b439a75c8028ef30bbac58d8

  • Size

    936KB

  • Sample

    240522-yrgyfsed8z

  • MD5

    12f0984001a496b1b0ffc2a194c941a3

  • SHA1

    f5be29bdbae4decdb20a60f324fbb9dd3d0934ef

  • SHA256

    2b438a5f6c0d8a371a194fdb7c57511862fa8569b439a75c8028ef30bbac58d8

  • SHA512

    b6e83213b59c8e499b8cb97ed75de224b323bbebe8559eb6d6c0d22fc8deef57d76c4a84878e895859260cc605ace2f341faa0b82bc9f4e7ac42c7277b45ed27

  • SSDEEP

    12288:WLwnvLhvEKk5t0QQMl/Dgoc0K3+XTsJ9AsPhS7xeQfpcv6606VbqmI:WLEv1EKk5t1g/DYEAsPs7xe40qm

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6602115092:AAE_EkIum3mOHF88T9ufYt_oJr5nE8bFoJA/

Targets

    • Target

      2b438a5f6c0d8a371a194fdb7c57511862fa8569b439a75c8028ef30bbac58d8

    • Size

      936KB

    • MD5

      12f0984001a496b1b0ffc2a194c941a3

    • SHA1

      f5be29bdbae4decdb20a60f324fbb9dd3d0934ef

    • SHA256

      2b438a5f6c0d8a371a194fdb7c57511862fa8569b439a75c8028ef30bbac58d8

    • SHA512

      b6e83213b59c8e499b8cb97ed75de224b323bbebe8559eb6d6c0d22fc8deef57d76c4a84878e895859260cc605ace2f341faa0b82bc9f4e7ac42c7277b45ed27

    • SSDEEP

      12288:WLwnvLhvEKk5t0QQMl/Dgoc0K3+XTsJ9AsPhS7xeQfpcv6606VbqmI:WLEv1EKk5t1g/DYEAsPs7xe40qm

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables packed with 9Rays.Net Spices.Net Obfuscator.

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix

Tasks