Overview

overview

10

Static

static

3

182873a350...0a.exe

windows7-x64

10

182873a350...0a.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    182873a3506ff1672872df4e60f3ab692395d4d8aa736815e3f3246a05d22e0a

  • Size

    776KB

  • Sample

    240524-brxmksgd23

  • MD5

    dbd661f87b1e5ab77f8aa040b0372beb

  • SHA1

    887fe37f8771ae5fb7c7d802dada935d9f26cf67

  • SHA256

    182873a3506ff1672872df4e60f3ab692395d4d8aa736815e3f3246a05d22e0a

  • SHA512

    cda5a9f1d4355051a03b08bb03295027d3ea64067b49e76cee0094f62fa07608a2700f937791612067aaaf06e6c2b144669852d535347f2f872ed55f7cd56913

  • SSDEEP

    12288:rPJPZAXZLD66F/i6macKmdijSATSTO9A8lJPm0T87v08+Dsw/nxS8Kjj7tWmcgQx:rhPZgL2i/i6mxK9BOTOeT7c+F3wmj6F

Score
10/10
agentteslaevasionexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      182873a3506ff1672872df4e60f3ab692395d4d8aa736815e3f3246a05d22e0a

    • Size

      776KB

    • MD5

      dbd661f87b1e5ab77f8aa040b0372beb

    • SHA1

      887fe37f8771ae5fb7c7d802dada935d9f26cf67

    • SHA256

      182873a3506ff1672872df4e60f3ab692395d4d8aa736815e3f3246a05d22e0a

    • SHA512

      cda5a9f1d4355051a03b08bb03295027d3ea64067b49e76cee0094f62fa07608a2700f937791612067aaaf06e6c2b144669852d535347f2f872ed55f7cd56913

    • SSDEEP

      12288:rPJPZAXZLD66F/i6macKmdijSATSTO9A8lJPm0T87v08+Dsw/nxS8Kjj7tWmcgQx:rhPZgL2i/i6mxK9BOTOeT7c+F3wmj6F

    Score
    10/10
    agentteslaevasionexecutionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

      evasiontrojan

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

3
T1562

Disable or Modify Tools

3
T1562.001

Modify Registry

4
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks