Overview

overview

10

Static

static

1

FW CMA SHZ...69.exe

windows7-x64

10

FW CMA SHZ...69.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d655f6cc8549b757a52c8814dcdf84f248e66956d933b55cdb0fa891593ec3da.zip

  • Size

    654KB

  • Sample

    240524-b6l5dsha93

  • MD5

    6585e1cf69f5e01fb4f35d0e770ce283

  • SHA1

    4b08bb7bfab72c71d701625fa451d39d20fb3d49

  • SHA256

    d655f6cc8549b757a52c8814dcdf84f248e66956d933b55cdb0fa891593ec3da

  • SHA512

    503ff5484ba5d89543c3a7d4ca641afa68c3003d21608ae57b6054ccf6607ab88c25216e54a6f950bf965eebb30c91409b7102431d5b0f26849b2abccc6de162

  • SSDEEP

    12288:FzWWITuvkHBM7GNXxm70e++DatYk8nlWim5gKNBcHCPLICoPe8OMtu:F6WeKU4Gwc+A+8OK3ciTHee8OMtu

Score
10/10
agentteslaexecutionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      FW CMA SHZ Freight invoice CHN1080769.exe

    • Size

      683KB

    • MD5

      3288dbaae811a799ea563988c0d78315

    • SHA1

      48802f823b253a45d829b15bd0802db54ce35993

    • SHA256

      e0e366834de34a6e93035842b46662c2b1b05d350c1218953f8faab632ead3ae

    • SHA512

      fc6b2c90ad9c9f2b906a6247230d2f71a0cbe764b0e3ea2c67d49477fb4f81580dd96a5ba2e3d11e92b15f8421b48e8afd7bd06e6d5ee009b8babfc1acf9cc80

    • SSDEEP

      12288:3I23I9uvcHdMFGNX/m7EA++tat0kanlWimxg8NBcHYPLICoPw896GpQkR:YYyK+wGGs+sY8283c4THew8EG9

    Score
    10/10
    agentteslaexecutionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks