Overview

overview

10

Static

static

3

DHL Delive...45.exe

windows7-x64

10

DHL Delive...45.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a237e33b8c7c7316530743202db77f3f2ffb2e3a6ee31f1af8cbf55fdce16e08

  • Size

    796KB

  • Sample

    240523-cvkmvsad8s

  • MD5

    ec4b760740b7933d8ffa7c1f0de1a2af

  • SHA1

    0565bbadda59b90f4456bd2fd3a83c7d665e3a80

  • SHA256

    a237e33b8c7c7316530743202db77f3f2ffb2e3a6ee31f1af8cbf55fdce16e08

  • SHA512

    caad0e777a7218bd625e4fb38710b928c6a6f74250d1b1941d25416350595bfb07964d3272079b0358c114e7ad1aff16fcf1e88d4068506d040f8f0b4713c436

  • SSDEEP

    12288:ZbHMi8LkpEaFLVbmQNGvZE8kCyYYXPdap9+Fy8rM9NyPg1J7Pe5xfdzLA2S6Npjv:tjEobHNGh7k5Yj+FlM984v7PY

Score
10/10
agentteslaexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      DHL Delivery Invoice AWB#7490327845.exe

    • Size

      736KB

    • MD5

      84396eb97e3ade6cd6689329d7ff3366

    • SHA1

      8e8c061ece6bc8f36bad01514ba2869a343d456f

    • SHA256

      9524dbdb7a13bdd04e736f32c96690df3320fabc8587bd0880db9ff0fd497c8e

    • SHA512

      95460f92e93ff48045ab507a677d51065b10f068d4ad97d902e2e0f1f8b374c5ffcc8832a074cd964839818516c8e987ff818b408d509e3836cb5ce12145c63e

    • SSDEEP

      12288:pbHMi8LkpEaFLVbmQNGvZE8kCyYYXPdap9+Fy8rM9NyPg1J7Pe5xfdzLA2S6Npjv:djEobHNGh7k5Yj+FlM984v7PY

    Score
    10/10
    agentteslaexecutionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks