Overview

overview

10

Static

static

3

Req-No-480...ev.exe

windows7-x64

10

Req-No-480...ev.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Structure ...00.exe

windows7-x64

7

Structure ...00.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    29042024_1012_29042024_Req-No-4800011619_Ruwais-Ref_Rev.rar

  • Size

    517KB

  • Sample

    240429-cm6kcsfb99

  • MD5

    d356cad688de84f0ffb57b63191e1f98

  • SHA1

    98272ce95810bb4191dc51b88fc578204fcf6da4

  • SHA256

    f656fa2f7ff6cf97c06c7bd50a8f15e26b0b2326a999290098dd5200e0d9dd07

  • SHA512

    19efae9a487452e833051b5593d77caf1aeabddd0a0f6813eed86d7f66a5d5069cffcf1b20b5346c0619e567b2cceb4b5de527ad32729ed8611864bd64a07018

  • SSDEEP

    12288:XjlvLVBNqWnsnEfeivcfMlQUL3C3m/O76wnn:VVO4KfI+3cO7Xn

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    cp5ua.hyperhost.ua
  • Port:
    587
  • Username:
    projectlog@aflacltd.top
  • Password:
    7213575aceACE@#
  • Email To:
    project@aflacltd.top

Targets

    • Target

      Req-No-4800011619_Rev.exe

    • Size

      339KB

    • MD5

      b8a8ca60146b0d8c08369576508d1536

    • SHA1

      874411f2590bc45b83783be977e681328a30b067

    • SHA256

      60e1db5951e3c8a6dbd797bc8925b45fba6e4ed4310b3ae98e40ab7652421e1f

    • SHA512

      adc8fe76a1e49660ec981dcf243fb8a1e7a6784f2ab90e1e0d3fcd25123665c37d571603036640b833e216f3c96d6d89a4394137e843e39ee313807f9aee714b

    • SSDEEP

      6144:EYa6EIIIIBDs7abZtyCE+D9hB6m82qaaza8e+r/Pu1AThPv:EYCw+bOj+D9j6N2qaMrn0AThn

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      cff85c549d536f651d4fb8387f1976f2

    • SHA1

      d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

    • SHA256

      8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

    • SHA512

      531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

    • SSDEEP

      192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr

    Score
    3/10
    behavioral3behavioral4

    • Target

      Structure description-Rev.00.exe

    • Size

      332KB

    • MD5

      93ed4d71925bf64cc42cc9dd295d0394

    • SHA1

      bb1feb06a69b108e103435bb5b498aab3c7315af

    • SHA256

      e3b090f044833c0e9328593357138a307bcf2ce0ab4badc3fd766b83beb4af1b

    • SHA512

      88a9d09fd2ba60f051bc86bf4c7dad87acbca6348e7380e21d635665aeaf7231842a7bd5f2b729bc93221bd6aa391e893f6f53d2c575aeadf512617b0d423f8e

    • SSDEEP

      6144:EYa6EIIIIBDs7abo+8dlqp5PhyOH+lMkMPHTEJp7eOm9t1t7N1e:EYCw+bl5ZyOelMLLEJE19tP7N4

    Score
    7/10

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      cff85c549d536f651d4fb8387f1976f2

    • SHA1

      d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

    • SHA256

      8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

    • SHA512

      531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

    • SSDEEP

      192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr

    Score
    3/10
    behavioral7behavioral8

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

4
T1005

Exfiltration

Command and Control

Web Service

2
T1102

Impact

Resource Development

Reconnaissance

Tasks