Overview

overview

10

Static

static

1

PO 2056781...aM.exe

windows7-x64

10

PO 2056781...aM.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0b335bef9c38177d30cb697d164c19f7eba600e6308596a68d3ca65cdeae3276

  • Size

    717KB

  • Sample

    240523-cgnscshg5w

  • MD5

    60ab0aeb4f61a56c90dfa34fb1deb019

  • SHA1

    05930c899983d13253433297d48108aad9936934

  • SHA256

    0b335bef9c38177d30cb697d164c19f7eba600e6308596a68d3ca65cdeae3276

  • SHA512

    cff5575fa908e105e4292a43a0f2e5ed3fda8cc9568926c7b816cc98c4837c34ced792033e1676363fd520a5ee89203ac7984fa04551f5629a4160264fbabf75

  • SSDEEP

    12288:W9h7EJIAr8t0dDM5M2un8MHaAQ30S4pc4vZltjkHHcoIcBi7tN6P7HXyRLi53bRo:+FTKcM2up6RSRvdCc00OrXkir6

Score
10/10
agentteslaexecutionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.nwac.com.ng
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    Foundation+111

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.nwac.com.ng
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    Foundation+111

Targets

    • Target

      PO 20567812_PDF Kumaran Industries PVT LTD iGST_eH2mYaM.exE

    • Size

      876KB

    • MD5

      ef371eec27b49ddba4332cda7f5c3738

    • SHA1

      6a7568498c09068e845c3341ea34d2ef8cb9eb15

    • SHA256

      2e927bdc3e5bd50e16ec9b7c94a48a9bd6baf129728b8171e2f14f452ca476f7

    • SHA512

      bd2d21126aafd328d3e48abd228cc0e1896b8a5e903ae3528f53bc3850f2c0e42262415978e0ac97395248fcb8a1627713956073544e2eae93c2b89a2f54814d

    • SSDEEP

      12288:J7EhaAryXcd/C5gsunYMHag+30SypS41zBb9YfRcoIcvi7ZNeP71zjsxiY0LWxyi:XdMagsuV6lUL19+c0eWxz5Y0SxgUAq

    Score
    10/10
    agentteslaexecutionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scripting

1
T1064

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks