Overview

overview

10

Static

static

3

216c0539cc...ca.exe

windows7-x64

10

216c0539cc...ca.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    216c0539ccfc639a2638c1d86d5af4accd3dd621c1372c1277432349f2977eca.exe

  • Size

    616KB

  • Sample

    240523-bj9beagc34

  • MD5

    0c937b5c2726ead914f467f4458fb30c

  • SHA1

    f1d0c49c593499e9190bcb796a0cd7292fbfeea6

  • SHA256

    216c0539ccfc639a2638c1d86d5af4accd3dd621c1372c1277432349f2977eca

  • SHA512

    d9403de28b2bf85cf7d0cf2390497016cf3e00255486eed84223bd97a5e41e21ebfd9218056e082bf745d4d7fdf7a712b72559358d2118eda6141222539a1231

  • SSDEEP

    12288:k9Xl+wonve99dbGPG+gibay1WTIlLuRtjI0THYWsuFFu5KmgsHL:kLRovq78GniOTTyLurk0TQNio

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      216c0539ccfc639a2638c1d86d5af4accd3dd621c1372c1277432349f2977eca.exe

    • Size

      616KB

    • MD5

      0c937b5c2726ead914f467f4458fb30c

    • SHA1

      f1d0c49c593499e9190bcb796a0cd7292fbfeea6

    • SHA256

      216c0539ccfc639a2638c1d86d5af4accd3dd621c1372c1277432349f2977eca

    • SHA512

      d9403de28b2bf85cf7d0cf2390497016cf3e00255486eed84223bd97a5e41e21ebfd9218056e082bf745d4d7fdf7a712b72559358d2118eda6141222539a1231

    • SSDEEP

      12288:k9Xl+wonve99dbGPG+gibay1WTIlLuRtjI0THYWsuFFu5KmgsHL:kLRovq78GniOTTyLurk0TQNio

    Score
    10/10
    agentteslakeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables packed with or use KoiVM

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks