Overview

overview

10

Static

static

1

20230315_0844.chm

windows7-x64

10

20230315_0844.chm

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    20230315_0844.chm

  • Size

    15KB

  • Sample

    230315-pwrh1sfc4y

  • MD5

    d0d90d142cc30afb9e88d10fe6a7f376

  • SHA1

    241e1bb564768f540ac6d0738414c81619fa9a54

  • SHA256

    5f2d62a83576dc78949cc945ff788cd8d3ee622fb421832d27aef39b4ff816b4

  • SHA512

    daaf7b1dbdb284bf7dc5561357dcd7d2ce7f9ce8dc01767ff092a24173a90d6140321be22f2a68c06730a196c0630ac58bcfdbf85eaa366d686f5cbc8f335f1d

  • SSDEEP

    192:cxcQfrfEjvwylMdR+qntccjaenzKVaSLA/cLo7bO:cxcQOvFMdR+etfjKaS8Z7bO

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://pinewish.com/M78.txt

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.logistor.hu
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    Anon0850!@#

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.logistor.hu
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    Anon0850!@#

Targets

    • Target

      20230315_0844.chm

    • Size

      15KB

    • MD5

      d0d90d142cc30afb9e88d10fe6a7f376

    • SHA1

      241e1bb564768f540ac6d0738414c81619fa9a54

    • SHA256

      5f2d62a83576dc78949cc945ff788cd8d3ee622fb421832d27aef39b4ff816b4

    • SHA512

      daaf7b1dbdb284bf7dc5561357dcd7d2ce7f9ce8dc01767ff092a24173a90d6140321be22f2a68c06730a196c0630ac58bcfdbf85eaa366d686f5cbc8f335f1d

    • SSDEEP

      192:cxcQfrfEjvwylMdR+qntccjaenzKVaSLA/cLo7bO:cxcQOvFMdR+etfjKaS8Z7bO

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Blocklisted process makes network request

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks