Overview

overview

10

Static

static

3

b6d43405e5...52.exe

windows7-x64

10

b6d43405e5...52.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b6d43405e5d36e6e74de2ff2d22d864edb0db18f9db4e928def7155054b4e252

  • Size

    3.2MB

  • Sample

    240905-g91pvavbpl

  • MD5

    06dcb15ae610d9451fb568bc536069ee

  • SHA1

    611af21b221bd004e7546d2603793de501b4f38d

  • SHA256

    b6d43405e5d36e6e74de2ff2d22d864edb0db18f9db4e928def7155054b4e252

  • SHA512

    9ce44cf3089f267b8db94ae4bdb3e78655fefe0aab4125cae956f0fbef4aa161e6eaca1f3ac0b755d75e10a1e31a5231c450ac8a04fc461bd1dbf45ee92c19fb

  • SSDEEP

    49152:tJkY6l5vePmrlqqZZp/wuERzibxCfAz7x:bkY6l5vePGlp99b/x

Score
10/10
agenttesladiscoveryevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Targets

    • Target

      b6d43405e5d36e6e74de2ff2d22d864edb0db18f9db4e928def7155054b4e252

    • Size

      3.2MB

    • MD5

      06dcb15ae610d9451fb568bc536069ee

    • SHA1

      611af21b221bd004e7546d2603793de501b4f38d

    • SHA256

      b6d43405e5d36e6e74de2ff2d22d864edb0db18f9db4e928def7155054b4e252

    • SHA512

      9ce44cf3089f267b8db94ae4bdb3e78655fefe0aab4125cae956f0fbef4aa161e6eaca1f3ac0b755d75e10a1e31a5231c450ac8a04fc461bd1dbf45ee92c19fb

    • SSDEEP

      49152:tJkY6l5vePmrlqqZZp/wuERzibxCfAz7x:bkY6l5vePGlp99b/x

    Score
    10/10
    discoveryevasionpersistenceagentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Modifies visiblity of hidden/system files in Explorer

      evasion

    • AgentTesla payload

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Modify Registry

2
T1112

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

5
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Virtualization/Sandbox Evasion

2
T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks