Overview

overview

10

Static

static

1

495b0122-e...af.exe

windows7-x64

10

495b0122-e...af.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    495b0122-e196-4271-8992-bc9b22c8a5af.rar

  • Size

    687KB

  • Sample

    230330-wls3esfb6w

  • MD5

    14a7895f66e0cb9c00b477baac4f324c

  • SHA1

    8806eab80b54f25f47645f49f15f26cb04f604ab

  • SHA256

    eefa163975eecfca65224623f2ba310e633d98d62e35bd8f0f0a5127ea37a246

  • SHA512

    4c9b5c85dec5dd5c446622258a1de9d3075399f3953c92bf9c3c437f6f41eba023b635ae608df2b283861b2505eba1d2cdfc325cef8c56809aa57cf0548684be

  • SSDEEP

    12288:PTm0b92HKtXt1pC80ZoYInnitBWarBcufCuyfStzzwW4blUKY6:y0AWxORysCffStyY6

Score
10/10
agentteslaguloadercollectiondownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.ardsmmm.com
  • Port:
    587
  • Username:
    ebru@ardsmmm.com
  • Password:
    Ard2015**
  • Email To:
    oficinaabonosjuanluca@gmail.com

Targets

    • Target

      495b0122-e196-4271-8992-bc9b22c8a5af.exe

    • Size

      767KB

    • MD5

      b6109aab2d2a51ea0c6f6b28aa2a869a

    • SHA1

      c02f08dea05b56f953b5c724499c552dc7126c4a

    • SHA256

      2abb89507bbcec354ea3293c13851505059ade5b0b6070793cd69e44e01dcceb

    • SHA512

      9651051086d96a83fcbf8cfcd11f2e569a08a905e74deece22756a357594c601be05fa81f9d624c2c6014cf4a5a9ad9ca5a904751faf53d7a0e2dd3870e7b627

    • SSDEEP

      12288:/ghti/pICWSh/cg9E2bCVGpzOH/8/6l0ankiuhSnRTt1q15WkndorDNJcaugJjUJ:4O2ohkgO2Goek00ankzhSpXq15fndorw

    Score
    10/10
    agentteslaguloadercollectiondownloaderkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

      collection

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks