Overview

overview

10

Static

static

3

DHL Delive...45.exe

windows7-x64

10

DHL Delive...45.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ab5354e47e271a691a05573d9bf49c20397b8e2602320a905502e83c4a1c58ee.iso

  • Size

    878KB

  • Sample

    240523-cbkhrahd9x

  • MD5

    e1e2c1ecbd1134697835a9c2a5c72023

  • SHA1

    6e00cd793d8df54ebd1c83386a7d173466f8f99d

  • SHA256

    ab5354e47e271a691a05573d9bf49c20397b8e2602320a905502e83c4a1c58ee

  • SHA512

    d9988818ff9c843f743fb0bb2b2907a96d267db45fd3a57caaae19850b65c9fcb70c18d6696cd0aee6812530ddf770bd3fc75e183af939a9d250f57fd51e87b3

  • SSDEEP

    12288:jzWWET/mr9K0A/B5bKmy+VDmVx5R380an/soBWKNmRobGGKraPHOLcIjqlEWDvo+:jzWWtDQKd+lFbNkALWfsE+

Score
10/10
agentteslaexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      DHL Delivery Invoice AWB#7490327845.exe

    • Size

      818KB

    • MD5

      03706e52938770bd5497faddc41ae671

    • SHA1

      75d77e86a0c5eb7745d0efe60c90175deea29fea

    • SHA256

      ae424f87ddc0913714a888f32a9412df939107b863c28e407513cf1b55db07f2

    • SHA512

      00fe3572a8cb40ec347c9ce563ecc4e78bc0cd93f7c987f1cc3cd9f2de1b93fa33bc7c3e017c84897c494a905895c987de71459151f5fb03f3c458bf15918a56

    • SSDEEP

      12288:zzWWET/mr9K0A/B5bKmy+VDmVx5R380an/soBWKNmRobGGKraPHOLcIjqlEWDvo+:zzWWtDQKd+lFbNkALWfsE+

    Score
    10/10
    agentteslaexecutionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks