Overview

overview

10

Static

static

3

93259ff754...d0.exe

windows7-x64

10

93259ff754...d0.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    45d74ba88c51c821c09288e537aaf7ef_JC.bin

  • Size

    658KB

  • Sample

    230901-s6j4gaff5v

  • MD5

    38a9533e6070b0161e587a307cdee5bb

  • SHA1

    677d15614d1d573836a209c049570f4f6ae4600e

  • SHA256

    747be5d7c1a1b9927aeb029390127a8c3c2ee9bfc7290deb4fa9962e56855e10

  • SHA512

    0a3282dddd91c69ee43600059f3e20cd4a33987c1e7276a10979a8c26fbe40f2c4a20ba58998a17513cd1cfe2c05456edd6f9634f4dc39c5c0998c6264baec63

  • SSDEEP

    12288:nazl3J9LVDlqC0jLP27CcpwZX4leK0DXzs1LVLZ2ktJcyTKa4w0Z4XM06PcvcY:nahlDlx97mq1jtC/a4bKr60cY

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.quartieri97italy.com.ng
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    maxxy88max%12.M

Targets

    • Target

      93259ff75465197c8afdae1087f5f3cfa3656a65246847535065873605a183d0.exe

    • Size

      699KB

    • MD5

      45d74ba88c51c821c09288e537aaf7ef

    • SHA1

      b81a0050b176d6061aa3b0b8d958123dda57fee7

    • SHA256

      93259ff75465197c8afdae1087f5f3cfa3656a65246847535065873605a183d0

    • SHA512

      1ceca4b9997a952a478d215c8f0c8fd2219f5e1a773efa6a0b2b3699e368da307ad3ea8c7e8c4f4c3b475987cd1e3730df7ae9e7dd79433d8df35a8e3dc80ca3

    • SSDEEP

      12288:o4aoCUhRcOJ5cVu6cZ6qrEgY2Kp32y2xtKzKnQGCITQbR7qdKeGtMA120G1XId5K:tW5yAfqogY2KpGhtgKnFPQbR7mGR1YcI

    Score
    10/10
    agentteslacollectionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks