Overview

overview

10

Static

static

1

20230315.chm

windows7-x64

10

20230315.chm

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    20230315_0844.IMG

  • Size

    1.2MB

  • Sample

    230315-vbmxzsge5z

  • MD5

    625667b0dcbeaf340563018f2578a147

  • SHA1

    34c225a749011ede19990b23c6e5ca8af3d9bb31

  • SHA256

    af8c6054dd7d3917c4b9bffaf78d3ec7a0697eeefcf57692da82768a04d91dbe

  • SHA512

    92d8a5fa4c05a559d86521e789edb0bb14d990c1bfa638c15d06b5a2683ef82e09e7a50278f1ff2e98676d750a4edb5754806db0f0ff243cb2d1016b797648bf

  • SSDEEP

    192:9rJIvxcQfrfEjvwylMdR+qntccjaenzKVaSLA/cLo7bO:gvxcQOvFMdR+etfjKaS8Z7bO

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://pinewish.com/M78.txt

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.logistor.hu
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    Anon0850!@#

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.logistor.hu
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    Anon0850!@#

Targets

    • Target

      20230315.CHM

    • Size

      15KB

    • MD5

      d0d90d142cc30afb9e88d10fe6a7f376

    • SHA1

      241e1bb564768f540ac6d0738414c81619fa9a54

    • SHA256

      5f2d62a83576dc78949cc945ff788cd8d3ee622fb421832d27aef39b4ff816b4

    • SHA512

      daaf7b1dbdb284bf7dc5561357dcd7d2ce7f9ce8dc01767ff092a24173a90d6140321be22f2a68c06730a196c0630ac58bcfdbf85eaa366d686f5cbc8f335f1d

    • SSDEEP

      192:cxcQfrfEjvwylMdR+qntccjaenzKVaSLA/cLo7bO:cxcQOvFMdR+etfjKaS8Z7bO

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Blocklisted process makes network request

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks