Overview

overview

10

Static

static

10

OSTOTILAUS...32.exe

windows7-x64

10

OSTOTILAUS...32.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    OSTOTILAUSPYYNTÖ _0932.exe

  • Size

    6KB

  • Sample

    230615-z1kw5sbd54

  • MD5

    8402ed726c49025989f98d23ce9d7e3e

  • SHA1

    e5784d2999ab073773b65e7d3a10ab2bb3460ff0

  • SHA256

    5780663f3e32e0308caa2cc657ccdcaadf393f22d2c1c3c1f5afa9f55aa136bb

  • SHA512

    208fdd79dd0ff0a61a0dccc80ea718b6f6ef18151104d3d74753035e7ed2844facc07df1605af42dfbb6631971eff6e5ec4cecbbe42f93bef0e3c75d5c942ebc

  • SSDEEP

    96:gzTFJVQ7mAK9KgeRZskYuIH7dYYyWwRkvPzNt:gHa7m79ETSuIH7dYYyYR

Score
10/10
agentteslapurecryptercollectiondownloaderkeyloggerloaderpersistencespywarestealertrojan

Malware Config

Extracted

Family

purecrypter

C2

https://files.catbox.moe/6dlgj3.mp4

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot2100759405:AAFzA0s7LpNOhvzQJo2bUlDpzSqnB8ir69o/

Targets

    • Target

      OSTOTILAUSPYYNTÖ _0932.exe

    • Size

      6KB

    • MD5

      8402ed726c49025989f98d23ce9d7e3e

    • SHA1

      e5784d2999ab073773b65e7d3a10ab2bb3460ff0

    • SHA256

      5780663f3e32e0308caa2cc657ccdcaadf393f22d2c1c3c1f5afa9f55aa136bb

    • SHA512

      208fdd79dd0ff0a61a0dccc80ea718b6f6ef18151104d3d74753035e7ed2844facc07df1605af42dfbb6631971eff6e5ec4cecbbe42f93bef0e3c75d5c942ebc

    • SSDEEP

      96:gzTFJVQ7mAK9KgeRZskYuIH7dYYyWwRkvPzNt:gHa7m79ETSuIH7dYYyYR

    Score
    10/10
    agentteslapurecryptercollectiondownloaderkeyloggerloaderpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • PureCrypter

      PureCrypter is a .NET malware loader first seen in early 2021.

      loaderdownloaderpurecrypter

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks