Overview

overview

10

Static

static

0189603e1f...3f.exe

windows7_x64

10

0189603e1f...3f.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0189603e1f23a9b8726e345a4f0f463f.exe

  • Size

    923KB

  • Sample

    211021-gm2nmaagbr

  • MD5

    0189603e1f23a9b8726e345a4f0f463f

  • SHA1

    415a8a780ad010025e409e33d6a8ad259f605042

  • SHA256

    21e329ad1a25176e7e17f0215f3fb95e723942e30b0f8eb6b478023dd0a36746

  • SHA512

    f8332f923bde2b55888dd1ba2d6460b2f54d5b7699c048546505cff63bd3239339a1cfc06ae70da2bb549db572e0b5c7f2c71b8f5c7ee243ffb0d83f3f67e3e2

Score
10/10
agentteslaasyncratredlinesnakekeyloggerdefaultprofessorcollectiondiscoveryinfostealerkeyloggerratspywarestealersuricatatrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.bursaplastik.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    ahm155

Extracted

Family

redline

Botnet

professor

C2

91.92.109.70:9412

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

91.92.109.70:5353

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • anti_vm

    false

  • bsod

    false

  • delay

    3

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    null

aes.plain

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot1982610890:AAFCcNp1Tl28ILhhdWKR-lR4Xpa_V1kwvCk/sendMessage?chat_id=860277004

Targets

    • Target

      0189603e1f23a9b8726e345a4f0f463f.exe

    • Size

      923KB

    • MD5

      0189603e1f23a9b8726e345a4f0f463f

    • SHA1

      415a8a780ad010025e409e33d6a8ad259f605042

    • SHA256

      21e329ad1a25176e7e17f0215f3fb95e723942e30b0f8eb6b478023dd0a36746

    • SHA512

      f8332f923bde2b55888dd1ba2d6460b2f54d5b7699c048546505cff63bd3239339a1cfc06ae70da2bb549db572e0b5c7f2c71b8f5c7ee243ffb0d83f3f67e3e2

    Score
    10/10
    agentteslaasyncratredlinesnakekeyloggerdefaultprofessorcollectiondiscoveryinfostealerkeyloggerratspywarestealersuricatatrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

      suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

      suricata

    • AgentTesla Payload

    • Async RAT payload

      rat

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks