Overview

overview

10

Static

static

3

Payment Ad...32.exe

windows7-x64

10

Payment Ad...32.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    12aeed7eaa414ea613124109989b337cbf1ff2203dd1c00d6e0d23ef65c15248.tar

  • Size

    616KB

  • Sample

    240727-bfktmswgnp

  • MD5

    c916b20644c8702da4b2e0098e690d23

  • SHA1

    e26f9f9685ed2b4f591f18dee128c636d7a54464

  • SHA256

    12aeed7eaa414ea613124109989b337cbf1ff2203dd1c00d6e0d23ef65c15248

  • SHA512

    d51758a7b034d636bc2d84a0f6d9f81b302e230798cfd587b1cc352a4624548d6eeba41df6c07c03f481f340ff40ab6914c7489fc80a6ad68b63d8d6178f14ba

  • SSDEEP

    12288:kHa+iju9099ZgE+lKEKBTQDCwd9oAcPzjzNDVGNTYf:ma+iiqW5fMQtd9bcLfGN

Score
10/10
agentteslacredential_accessdiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      Payment Advice-DPEB08-2SDC - SS25 Price C246SH32.exe

    • Size

      614KB

    • MD5

      f0a32a05a16f6c1a40ea9bd68a155924

    • SHA1

      60b08e3589394870c41b46912b5937d2f785b5a0

    • SHA256

      4e25695bab3ab85fc29d5ec8858b9caefe193916eabe0d7bfc18059cb23c6757

    • SHA512

      5d3600252e0af5e30d167c18d00e19598a9e02e3fb93037acab41e6808e0a7a31476c8ae533dc8dae4e36b2afb1cd6ca16819c6b6eda06902df34582f5ea2634

    • SSDEEP

      12288:VHa+iju9099ZgE+lKEKBTQDCwd9oAcPzjzNDVGNTYf:da+iiqW5fMQtd9bcLfGN

    Score
    10/10
    agentteslacredential_accessdiscoveryexecutionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks