Overview

overview

10

Static

static

10

2eeedb8129...a1.exe

windows7-x64

10

2eeedb8129...a1.exe

windows10-2004-x64

10

68f3f6a8e2...67.elf

ubuntu-22.04-amd64

1

76a5d5651a...67b.js

windows7-x64

8

76a5d5651a...67b.js

windows10-2004-x64

8

8be322fd53...98.vbs

windows7-x64

8

8be322fd53...98.vbs

windows10-2004-x64

8

92e0a7687d...35.exe

windows7-x64

10

92e0a7687d...35.exe

windows10-2004-x64

10

967059c927...af.rtf

windows7-x64

8

967059c927...af.rtf

windows10-2004-x64

1

a9fef3bf43...96.exe

windows7-x64

10

a9fef3bf43...96.exe

windows10-2004-x64

10

bbb50d99d2...1d5.js

windows7-x64

8

bbb50d99d2...1d5.js

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5eddfcfbde12dfd59c1ddd866546c9604f392d350ebc83a0ef58f5026e4fea4d

  • Size

    790KB

  • Sample

    241120-wxl39a1ka1

  • MD5

    2749ea6fa4478739201ed37fac824210

  • SHA1

    fcc3a4277bb5426f242cd4c6078efac6b531f5d4

  • SHA256

    5eddfcfbde12dfd59c1ddd866546c9604f392d350ebc83a0ef58f5026e4fea4d

  • SHA512

    b61847f6de5dd8b90c9f58d2da37519fd57a34f4e21bc7180252f6c6d2fa473dec363d86da9d0e992913437b506ba6bf00d072e16ef85fb5355dd47570bed0b4

  • SSDEEP

    24576:4oz3UXV6wnJPVR42psbwy/5+LOm4/QZ20EtU:4M3mhDps0L54/XbtU

Score
10/10
agentteslaobj3ctivitydiscoveryexecutionkeyloggerlinuxpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      2eeedb8129877d2cff8bfca258974786448f4babb12a1e44651735e675f09ca1.exe

    • Size

      1.1MB

    • MD5

      9e4c975a08c32f87ff086024ba780bd0

    • SHA1

      dbc81c855977fdff4f4a1cf99c0be1b984dab109

    • SHA256

      2eeedb8129877d2cff8bfca258974786448f4babb12a1e44651735e675f09ca1

    • SHA512

      4903268f884e4dde313d3d088050674aadbd9fdb93f79539a5312e33d24498520c389d18ce99e84874ba399c1782d5242872f7f9a95fbbaec717e21e3a0f3b8d

    • SSDEEP

      24576:8AHnh+eWsN3skA4RV1Hom2KXMmHaxsBAhLuqFfs3quI5:bh+ZkldoPK8YaxsShLHgqB

    Score
    10/10
    agenttesladiscoverykeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      68f3f6a8e2c034cfa63a5083aa214e6973ec425313e52d78ce5f4360e00d9867.elf

    • Size

      16KB

    • MD5

      c1d27bdb76a71739a76522adbf60c78d

    • SHA1

      1eea0cc25403851a0271160af73bf62cd2f0c793

    • SHA256

      68f3f6a8e2c034cfa63a5083aa214e6973ec425313e52d78ce5f4360e00d9867

    • SHA512

      545043d476e2bbe21a4cea5cbac0eed02fe18a348cb93eaca90c7f52b2057e97e35e6ef144f4dcbceecba4b64be70fb660067fafb9dce57a019d8735df4901bb

    • SSDEEP

      384:3jCN0cskc0sE8UMkc0avE3T42zJEVUUS0H4Gir:G/skc0sE8UMkc0avE9/U

    Score
    1/10
    behavioral3

    • Target

      76a5d5651a6bb05f67e88fb646e969963c8f3baeda763a86649d4cd2f2ff967b.js

    • Size

      1KB

    • MD5

      2a16e3be007559b0c42104025a3a2941

    • SHA1

      22ecb792e6ca50fdbb9da0420228b9d6a6c1e3d5

    • SHA256

      76a5d5651a6bb05f67e88fb646e969963c8f3baeda763a86649d4cd2f2ff967b

    • SHA512

      c2581a1a1b4a05941e593dc62cf6d7ad5a17fbc335df2d0916b0458113f3c2cd98a776dfd11ba76082d72bd9169ebc97086d8331b188b241407a060bfaa5cba3

    Score
    8/10
    execution

    • Blocklisted process makes network request

    behavioral4behavioral5

    • Target

      8be322fd5399068e2db918866ec0011882c308226f9c8065df643dbcd4d7e998.vbs

    • Size

      132KB

    • MD5

      3b613b81a9d2bfb9ee156ff4f3e03a93

    • SHA1

      8364c6919db9ecf241af281d380d464dc59c84ba

    • SHA256

      8be322fd5399068e2db918866ec0011882c308226f9c8065df643dbcd4d7e998

    • SHA512

      cab65db7ff1ef2f743b68e4aec31c1d6ed000172510ed0d9f57d7a4d44dbaf26844bcf353537fdc4a71ad90a48ad60d4058fa25679e52649071079da56ca8d7f

    • SSDEEP

      3072:fwuzkYMPZJqaVBsPHFBktYkCeJ+URvMP/Rj5mk36VYK4qhU4IsMMBlt:f7kYMPZoaVBsPHFBqYkR+URkP/Rj5mj1

    Score
    8/10
    discoveryexecution

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution
    behavioral6behavioral7

    • Target

      92e0a7687dbabbecadf58d3f706e383909637c8ea4b0f49824f4c3929ff53435.exe

    • Size

      55KB

    • MD5

      d9d9b943acbbe0394122d68a5ac5919f

    • SHA1

      1befa767e5ae1f06658563cee6520bb7598999aa

    • SHA256

      92e0a7687dbabbecadf58d3f706e383909637c8ea4b0f49824f4c3929ff53435

    • SHA512

      3ccf9b9050c878f60abeaae5b08b57e631b05d110d70f27788aa7d286e22d7ca40ea4575fb69ef09d305348b529bbfbe8a39a9307b57aa4397595e5a1b2f4780

    • SSDEEP

      1536:6/BsBQBWHVuH4yB9OIBABttaAOeXc5aX2r8I:6/BsBQByV0vB9OIBABttaAOQQeI

    Score
    10/10
    obj3ctivitydiscoverystealer

    • Detects Obj3ctivity Stage1

      Obj3ctivity aka PXRECVOWEIWOEI is an infostealer written in C#.

      stealer

    • Obj3ctivity family

      obj3ctivity

    • Obj3ctivity, PXRECVOWEIWOEI

      Obj3ctivity aka PXRECVOWEIWOEI is an infostealer written in C#.

      stealerobj3ctivity
    behavioral8behavioral9

    • Target

      967059c927f066a79905cf5a2f99562ca72409238322098e8ac93c905e75a1af.rtf

    • Size

      4KB

    • MD5

      2d6060a66195cf2a68d79606b5eae8f8

    • SHA1

      426a17bf4ec7f5eb61ca038032fdea22ec401379

    • SHA256

      967059c927f066a79905cf5a2f99562ca72409238322098e8ac93c905e75a1af

    • SHA512

      55f0c46bd8fa99604238b06e5bd8737574d69f12b6e52adc3b253805952616f3e7da0a7aa179c1a8bd1d3b07fcab1a49ddd4bbd057c34ca8fb957c78b8269754

    • SSDEEP

      96:QLl3HYpkWq2Ngv+yp5UglURVkFvHADrseco7VLo6EEGrvJAt5PbANI:iloisN6p59loSFCsA7VREEGrRQ5PbAu

    Score
    8/10
    discovery

    • Blocklisted process makes network request

    behavioral10behavioral11

    • Target

      a9fef3bf43ae17b1ea2361ea59c5584caf762bd450dc8f120fdbf7f9fe523e96.exe

    • Size

      59KB

    • MD5

      c1667c76b9835e9ed50cb723a177c596

    • SHA1

      505d31c1543fe7f03da5c536d31d5bf6873a8f5a

    • SHA256

      a9fef3bf43ae17b1ea2361ea59c5584caf762bd450dc8f120fdbf7f9fe523e96

    • SHA512

      dfd1b989ed0c6b02cbef586a15cbd0ce13f1e28c44c5135f8e48b2e631f39b03d967c0860e5b33204d56ff4194571e80ed647a33422d5d60b60c10d79c9ee6a1

    • SSDEEP

      1536:jBZB6BqMlDnzYIBq/BHByABByZ+rhihUqq1YjVG0qzrg0:jBZB6BqMlDzYIBq/BHByABAZqwZqSk

    Score
    10/10
    obj3ctivitydiscoverystealer

    • Detects Obj3ctivity Stage1

      Obj3ctivity aka PXRECVOWEIWOEI is an infostealer written in C#.

      stealer

    • Obj3ctivity family

      obj3ctivity

    • Obj3ctivity, PXRECVOWEIWOEI

      Obj3ctivity aka PXRECVOWEIWOEI is an infostealer written in C#.

      stealerobj3ctivity
    behavioral12behavioral13

    • Target

      bbb50d99d2286fd78099998d4b3f17e441927cfa1e3951893e7acecf77fee1d5.js

    • Size

      1KB

    • MD5

      3322656d0ed56adf901eb96133be3dd6

    • SHA1

      9d52c69d88ec67311de43534075c737b9fee061a

    • SHA256

      bbb50d99d2286fd78099998d4b3f17e441927cfa1e3951893e7acecf77fee1d5

    • SHA512

      b94a6caa79a5899851d811d54ae6b2625df66a86683b06576ac72108b32099e61cc098ac91361b1b53bcec21517ce0aec13af37f37b31bffd43b7379b8eb9654

    Score
    8/10
    execution

    • Blocklisted process makes network request

    behavioral14behavioral15

MITRE ATT&CK Enterprise v15

Tasks