Overview

overview

10

Static

static

3

64b6ea0607...57.exe

windows7-x64

10

64b6ea0607...57.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4865f16a685bc3b34a91f595247f30e7.bin

  • Size

    533KB

  • Sample

    240613-bv1hmsyhje

  • MD5

    452f2dcbd2b3a37d2de8a39ba714e6f9

  • SHA1

    35235e939a8db049275a711af0f43451188097a6

  • SHA256

    72dcd57a6b1a6c8c458b39bfb0f1aca7eea34cb8197d9ab4b8c3387a02392888

  • SHA512

    d30820c9f697c1cb9ef270fc2e4e30accbfa72b378115b60e11eb13cd2c751a657619d6ea942e2ce55150c9ffe951d1fd38f029bcd446597d34d9529cb07cb76

  • SSDEEP

    12288:sn3i7gVynLRN2CymZLfJGJ18bVLFdci6jAdGSuu3xQPEtaVgbtSrgG:AYgALfthfJGYbFosuu3iPJVgorgG

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5970985875:AAGxcS7riy4ZlEmFj2Z031AsUoRvment2iI/

Targets

    • Target

      64b6ea060734356b1932cbe5f252ba9fb6169717a0ab7dd9063b3ee19c71b057.exe

    • Size

      743KB

    • MD5

      4865f16a685bc3b34a91f595247f30e7

    • SHA1

      c9e898e4c7c9026f0fded242d499ddb61b69a639

    • SHA256

      64b6ea060734356b1932cbe5f252ba9fb6169717a0ab7dd9063b3ee19c71b057

    • SHA512

      db1f449a2983bcaee04aa66852d94190ad02482c9944b0d13134cdb82379d6a86721d5412903090450ce0b4ec8e5e9a629cad321b76a2a762d6bc7f548ebd864

    • SSDEEP

      12288:Qt1esNS+7GrRybegXjup/inqt0qKmwRZ5J+:ri7GrRyKTNh0awr5Y

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks