Overview

overview

10

Static

static

fwdPacking...B).msg

windows10-2004-x64

3

Packing List.chm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fwdPacking List (8.76 KB).msg

  • Size

    25KB

  • Sample

    221002-y6h43aagej

  • MD5

    22cac913784ba7331e7aa96ce23fc7ed

  • SHA1

    470cb89eaf735348d3ddc0ec1dd25d51a390e653

  • SHA256

    c3dabf7c8397559c952aa488cf7f6ad57ba614e0e17923ac061a5cadcc94c6ef

  • SHA512

    f4055bbd44abda4a9eb20a95ee372e981f8963bf78e7d5ba04542fc6e6629a95f6d9cdd6315cd9b27c508ff3c94c762d5faa4f687b150b888d9a189210755ca0

  • SSDEEP

    384:4sSDaf9+XzLT4qgFxJb3ujB5GbEpw144fLnxdjU1o78/8sA:4sSDaf9+XvT4qgFfb+rGyw14k/8o7O

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://mgcpakistan.com/yimu.txt

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.onogost.com
  • Port:
    21
  • Username:
    infoo@onogost.com
  • Password:
    boygirl123456

Targets

    • Target

      fwdPacking List (8.76 KB).msg

    • Size

      25KB

    • MD5

      22cac913784ba7331e7aa96ce23fc7ed

    • SHA1

      470cb89eaf735348d3ddc0ec1dd25d51a390e653

    • SHA256

      c3dabf7c8397559c952aa488cf7f6ad57ba614e0e17923ac061a5cadcc94c6ef

    • SHA512

      f4055bbd44abda4a9eb20a95ee372e981f8963bf78e7d5ba04542fc6e6629a95f6d9cdd6315cd9b27c508ff3c94c762d5faa4f687b150b888d9a189210755ca0

    • SSDEEP

      384:4sSDaf9+XzLT4qgFxJb3ujB5GbEpw144fLnxdjU1o78/8sA:4sSDaf9+XvT4qgFfb+rGyw14k/8o7O

    Score
    3/10
    behavioral1

    • Target

      Packing List.chm

    • Size

      13KB

    • MD5

      08cac56b75979c1f3bfc2e83e123a2fc

    • SHA1

      56227c920783d547a673e0de919f438dba846c01

    • SHA256

      11731e8a97c3ced6e50ffa011b04bc6b54cc5e4ee1ccf2c4fc70247b7ae4528b

    • SHA512

      3be2746d1a0179642db2e7a85ba5cb4815e95582e56efb3e981755ecc50fc6590d425993bfb8f3685d3d79871ec88c597c545850929595c04abb60690169ac4b

    • SSDEEP

      192:tyBAu4E8Y/p6efAPaiQ4nggjClAgLZkByk0GAN:tyauqYR8s4ggjCb5k0

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks