Overview

overview

10

Static

static

3

tmp3czzldh6.exe

windows7-x64

10

tmp3czzldh6.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    tmp3czzldh6

  • Size

    834KB

  • Sample

    241015-qrvkjs1dkj

  • MD5

    102cd04929ffa73b9584a7c6953a8ca5

  • SHA1

    6f7943b1901c44c28bc16483b4187bc8f15f5742

  • SHA256

    3890bc2638beaf831fb3ad49af5442ef5118d70a6d7c25a3fb0b05e47d9e75e6

  • SHA512

    ba7c17f3ddf61bf2a8ba7d2912b2a3b2737616bad21accfa84db8b958ab33a0b3b197a6326c240e8bbc23dfe8f0868bb68a19a20141e50ca9d9da258442e3694

  • SSDEEP

    12288:DeUSST7V67gJFlY5qWHJv/h42L7ukEYIbMpY6vbDOQv/Zlav7klgrdm4Vz0Rppp5:DcM7Y7gJFZWpvq2L7ukEYIWvPT

Score
10/10
agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      tmp3czzldh6

    • Size

      834KB

    • MD5

      102cd04929ffa73b9584a7c6953a8ca5

    • SHA1

      6f7943b1901c44c28bc16483b4187bc8f15f5742

    • SHA256

      3890bc2638beaf831fb3ad49af5442ef5118d70a6d7c25a3fb0b05e47d9e75e6

    • SHA512

      ba7c17f3ddf61bf2a8ba7d2912b2a3b2737616bad21accfa84db8b958ab33a0b3b197a6326c240e8bbc23dfe8f0868bb68a19a20141e50ca9d9da258442e3694

    • SSDEEP

      12288:DeUSST7V67gJFlY5qWHJv/h42L7ukEYIbMpY6vbDOQv/Zlav7klgrdm4Vz0Rppp5:DcM7Y7gJFZWpvq2L7ukEYIWvPT

    Score
    10/10
    agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks