Overview

overview

10

Static

static

10

TRQ.exe

windows7-x64

10

TRQ.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    TRQ.exe

  • Size

    275KB

  • Sample

    240807-pae8vsydkp

  • MD5

    a3ef7b3db56fd834a3f6e7f5260514b0

  • SHA1

    c79968b34032964457b7c9873318c11ac30f8149

  • SHA256

    3cc42cf175f5db337fec2f980b847dc58bd9a62c23830d8797e5bb05e5c69030

  • SHA512

    6064084d39fe9d824d1a83a0d5e4414295580e91b138823c7a4a297e5ab8b54e80ee18bfd46f5f74a5c09220e1dddc7eee05a1d424e20c7711db6f3edd47adba

  • SSDEEP

    3072:sr85CT4IAOerTxPmOI4fgXHNh5Pr8bN4gDuiICmKG:k9T4IAOerTxPmOtfg3Nf8bWfiICXG

Score
10/10
agentteslaneshtacredential_accessdiscoverykeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6983892140:AAFuDvnVBnkxRmQB8di3AZt-LndssiFsj94/

Targets

    • Target

      TRQ.exe

    • Size

      275KB

    • MD5

      a3ef7b3db56fd834a3f6e7f5260514b0

    • SHA1

      c79968b34032964457b7c9873318c11ac30f8149

    • SHA256

      3cc42cf175f5db337fec2f980b847dc58bd9a62c23830d8797e5bb05e5c69030

    • SHA512

      6064084d39fe9d824d1a83a0d5e4414295580e91b138823c7a4a297e5ab8b54e80ee18bfd46f5f74a5c09220e1dddc7eee05a1d424e20c7711db6f3edd47adba

    • SSDEEP

      3072:sr85CT4IAOerTxPmOI4fgXHNh5Pr8bN4gDuiICmKG:k9T4IAOerTxPmOtfg3Nf8bWfiICXG

    Score
    10/10
    agentteslaneshtacredential_accessdiscoverykeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks