Overview

overview

10

Static

static

1

7d7df67660...32.exe

windows7-x64

10

7d7df67660...32.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7d7df676602a9235025bdcc7f5e550d532f294d6e4bd2195e12390e342bccd32.exe

  • Size

    672KB

  • Sample

    240524-bv1teage52

  • MD5

    b61f68ef968ddae3a9743437fdd26f88

  • SHA1

    3af6f1f6047cbe9319239875f7cc601185d32c94

  • SHA256

    7d7df676602a9235025bdcc7f5e550d532f294d6e4bd2195e12390e342bccd32

  • SHA512

    1d86da57cfaf9697cda684c294da9cc71525e4cc51d9eb8c73eff182ddac5644c2a28887328d408c0e3d12583eba57ce525d08069a28da438475cb9817b33778

  • SSDEEP

    12288:JzDi8LkpEaNB+shFpO31Yw3v2KL9sfHdYrtnoWTKx7FO/fv0Qsb/LkR:JzmjEcB+sbpoSw3JCdY19mQ/fv0QW/O

Score
10/10
agentteslaexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      7d7df676602a9235025bdcc7f5e550d532f294d6e4bd2195e12390e342bccd32.exe

    • Size

      672KB

    • MD5

      b61f68ef968ddae3a9743437fdd26f88

    • SHA1

      3af6f1f6047cbe9319239875f7cc601185d32c94

    • SHA256

      7d7df676602a9235025bdcc7f5e550d532f294d6e4bd2195e12390e342bccd32

    • SHA512

      1d86da57cfaf9697cda684c294da9cc71525e4cc51d9eb8c73eff182ddac5644c2a28887328d408c0e3d12583eba57ce525d08069a28da438475cb9817b33778

    • SSDEEP

      12288:JzDi8LkpEaNB+shFpO31Yw3v2KL9sfHdYrtnoWTKx7FO/fv0Qsb/LkR:JzmjEcB+sbpoSw3JCdY19mQ/fv0QW/O

    Score
    10/10
    agentteslaexecutionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks