Overview

overview

10

Static

static

mel9.chm

windows7-x64

10

mel9.chm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    mel9.chm

  • Size

    13KB

  • Sample

    221208-nckqpahg79

  • MD5

    e7a3bc55f52eebb6ce7df0a0047fec40

  • SHA1

    b152e0d6abc8dab4500aaa4161dac968e54cad20

  • SHA256

    908d78eb614a8ecf652163a4ccbdf62deec33d03747d4342d4f90e5bcf7995d8

  • SHA512

    3537fee98df7a02510e65c4a7fbe302e154d37e5ea497fe2677936f3442afc565a4a6307a870971ca3f45a8d25bee50b71a04c515664737cbe72d4031a186a81

  • SSDEEP

    192:8FYhJztroZ7rRXcAU9aoSpW9KZYtsufMCKv6:gYjtroZ7rAv9yYtsuFKv

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://cricot2.kylos.pl/mel9.txt

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.peva.it
  • Port:
    21
  • Username:
    anita@peva.it
  • Password:
    Team2318!@#

Targets

    • Target

      mel9.chm

    • Size

      13KB

    • MD5

      e7a3bc55f52eebb6ce7df0a0047fec40

    • SHA1

      b152e0d6abc8dab4500aaa4161dac968e54cad20

    • SHA256

      908d78eb614a8ecf652163a4ccbdf62deec33d03747d4342d4f90e5bcf7995d8

    • SHA512

      3537fee98df7a02510e65c4a7fbe302e154d37e5ea497fe2677936f3442afc565a4a6307a870971ca3f45a8d25bee50b71a04c515664737cbe72d4031a186a81

    • SSDEEP

      192:8FYhJztroZ7rRXcAU9aoSpW9KZYtsufMCKv6:gYjtroZ7rAv9yYtsuFKv

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks