Overview

overview

10

Static

static

3

9426dad5ac...fd.exe

windows7-x64

10

9426dad5ac...fd.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9426dad5acbb8dad59994481ea4714ba775af9ee4775b1283957f51f060f70fd

  • Size

    698KB

  • Sample

    240524-bpjb6sfh9w

  • MD5

    373459ab33f19f694e74ccbe758517bd

  • SHA1

    1e7815d201871605ebd0f3ddea1eece8bf8d0637

  • SHA256

    9426dad5acbb8dad59994481ea4714ba775af9ee4775b1283957f51f060f70fd

  • SHA512

    a046e9370b6aba5a0cd74be81083bfe63a7d30c8adef88f1e5b2b80ff861219cdd354f9e4d7d25c115fe2a7501aaabb464544711a5057025e93b996c9c7ca150

  • SSDEEP

    12288:mX2AXYMjhvPie/rByY7777777777777UFdPvoldUJA7RyLX4fiymt4If9oTohaSi:mX2AXYMFniyy9DvkobY+fSsaudnlVqhr

Score
10/10
agentteslaexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    aowapnzgtwgqowgt

Targets

    • Target

      9426dad5acbb8dad59994481ea4714ba775af9ee4775b1283957f51f060f70fd

    • Size

      698KB

    • MD5

      373459ab33f19f694e74ccbe758517bd

    • SHA1

      1e7815d201871605ebd0f3ddea1eece8bf8d0637

    • SHA256

      9426dad5acbb8dad59994481ea4714ba775af9ee4775b1283957f51f060f70fd

    • SHA512

      a046e9370b6aba5a0cd74be81083bfe63a7d30c8adef88f1e5b2b80ff861219cdd354f9e4d7d25c115fe2a7501aaabb464544711a5057025e93b996c9c7ca150

    • SSDEEP

      12288:mX2AXYMjhvPie/rByY7777777777777UFdPvoldUJA7RyLX4fiymt4If9oTohaSi:mX2AXYMFniyy9DvkobY+fSsaudnlVqhr

    Score
    10/10
    agentteslaexecutionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scripting

1
T1064

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Scripting

1
T1064

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks