Overview

overview

10

Static

static

3

PO. WW-158...ep.exe

windows7-x64

10

PO. WW-158...ep.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0e0a37201f9c3bfc496f370e3413bd3150418918c1800b363da50ebbff74b2ac

  • Size

    661KB

  • Sample

    240924-z58h1ayhjh

  • MD5

    f4f7f775a24c5e0c5003ee693c10c410

  • SHA1

    c2bafae24b721ab1f8c3c8c48ace58e2fc6fed56

  • SHA256

    0e0a37201f9c3bfc496f370e3413bd3150418918c1800b363da50ebbff74b2ac

  • SHA512

    d885b72fb7de2dadddae96271194fa6baf2a259ef8c1a4d90fa5e8122c769f30396d6137b3248e4af71b84e289263520d0906c2f5426d0d64940ad5382c2c22a

  • SSDEEP

    12288:hLIgF2HJIDp22DqPwqqPOjbyl8xCdH5VtuhnpCMKP5E83kW5wtQOFexn6tXXcl:h0SQ2Sw7Q90ZVUnMMKC8UWutcx61cl

Score
10/10
agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      PO. WW-1580 (DPEBO1-2SDC S25- Sep.exe

    • Size

      855KB

    • MD5

      c8b08e159040e8d38b1819755f19dfee

    • SHA1

      47bf4d8d42d51ce4d1262a77ff994a46c087d1ea

    • SHA256

      7307ce53e361889b72a0e2eba413ef31789e36c50efe5458ffe8e9bebe9f8b22

    • SHA512

      3e2b26015939e740580ce1649cbd18f699a70bd86c2d1d52e5b2a127ca4a488063859aa9c78d6e5b472c87ee6f075e1ec3c1c4d78d977c644927bf1e1233c8a2

    • SSDEEP

      12288:OcA7Qs2zJcpp22D8Pwq4POjhyv8xquIpsxnF6p0CF60PcNj8bQbNlgrdm4Vz0Rpl:40yQ2kw3QTsGxnUp0Q6WIN

    Score
    10/10
    agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks