Overview

overview

10

Static

static

mel9.chm

windows7-x64

10

mel9.chm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    FYI_22.7z

  • Size

    6KB

  • Sample

    221208-j4w6kscc9w

  • MD5

    e3d9672c945bed35de2c0f2d13b7c650

  • SHA1

    10c935f4302993ab96869b8af9b504942a19dc3e

  • SHA256

    418cdd70eebf59fb709f1d8e476bd05fd62e1b1e7468ed905f39e141befd7c3f

  • SHA512

    7ca46d17aeda035874cc5d042526f17ff82e8b08090f305c0e81bd367876d1c7eeb639c1ff00254acd5e1e096c3e2c6b7a97a2fb2ab793d73491c5bb9797136d

  • SSDEEP

    192:S/mMAkN4fc9t3bHUrnLfEe7ATyYHWeD0q:S9Xm2bEEe7aDHWegq

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://cricot2.kylos.pl/mel9.txt

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.peva.it
  • Port:
    21
  • Username:
    anita@peva.it
  • Password:
    Team2318!@#

Targets

    • Target

      mel9.chm

    • Size

      13KB

    • MD5

      e7a3bc55f52eebb6ce7df0a0047fec40

    • SHA1

      b152e0d6abc8dab4500aaa4161dac968e54cad20

    • SHA256

      908d78eb614a8ecf652163a4ccbdf62deec33d03747d4342d4f90e5bcf7995d8

    • SHA512

      3537fee98df7a02510e65c4a7fbe302e154d37e5ea497fe2677936f3442afc565a4a6307a870971ca3f45a8d25bee50b71a04c515664737cbe72d4031a186a81

    • SSDEEP

      192:8FYhJztroZ7rRXcAU9aoSpW9KZYtsufMCKv6:gYjtroZ7rAv9yYtsuFKv

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks