Overview

overview

10

Static

static

42752f5ad5...bc.exe

windows7_x64

10

42752f5ad5...bc.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    42752f5ad56e5b7db47f5cade7e84abc.exe

  • Size

    852KB

  • Sample

    210926-x5376sfbgp

  • MD5

    42752f5ad56e5b7db47f5cade7e84abc

  • SHA1

    e1cb9c502536f14f0760c4404b307a4804cb14c8

  • SHA256

    926962feeeae5258e6d7bc03c9561cb19912e44b587a1eb30f54f52db479254c

  • SHA512

    bd41b3d06af5fce351309c6fc05a77aed088be5726a7cfe5b76b2fd05eb962d53c8733adb33ee066fd562d069b4805792aecf280b1f74994f97f7be3db11aa6b

Score
10/10
agentteslaoskidiscoveryinfostealerkeyloggerpersistencespywarestealersuricatatrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.mail.ru
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    PxhrKDkvikRcSaP2dkv9

Extracted

Family

oski

C2

schulenburgrvpark.com

Targets

    • Target

      42752f5ad56e5b7db47f5cade7e84abc.exe

    • Size

      852KB

    • MD5

      42752f5ad56e5b7db47f5cade7e84abc

    • SHA1

      e1cb9c502536f14f0760c4404b307a4804cb14c8

    • SHA256

      926962feeeae5258e6d7bc03c9561cb19912e44b587a1eb30f54f52db479254c

    • SHA512

      bd41b3d06af5fce351309c6fc05a77aed088be5726a7cfe5b76b2fd05eb962d53c8733adb33ee066fd562d069b4805792aecf280b1f74994f97f7be3db11aa6b

    Score
    10/10
    agentteslaoskidiscoveryinfostealerkeyloggerpersistencespywarestealersuricatatrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

      infostealeroski

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

      suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

      suricata

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

      suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

      suricata

    • AgentTesla Payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

4
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

4
T1005

Exfiltration

Command and Control

Impact

Tasks