Overview

overview

10

Static

static

3

14bf714055...00.exe

windows7-x64

10

14bf714055...00.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a00366a3483d1d632223d68c8e6e3f15.bin

  • Size

    991KB

  • Sample

    231011-mdk76sgd81

  • MD5

    b8b908fec4228a1de42ca00d67558c20

  • SHA1

    b78fb12f6d43734b0f891742b0e4edfca6fc2139

  • SHA256

    6be6165efc48f7f9f60a5b90b8c5729e33623773e55354ae8e3e4611e03b64d9

  • SHA512

    64cf3a7616d7dd7d56f3bd4d3bfd3a273ae2958bf5885e766d1eb0078989c533b68c786715d3c8d08c0beb5c2153c321d1b2b4e3b556360278583acad3e02ca1

  • SSDEEP

    24576:QdGTr09kiC6GceKXGHuD3Mw3UsBaG7WgeNE/Y0hgJezDqxvK:QdGHR6TeYGOfEsMZgeNERBAvK

Score
10/10
agentteslasnakekeyloggercollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.product-secured.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    2V8SHFwjad34@@##

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.product-secured.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    2V8SHFwjad34@@##

Targets

    • Target

      14bf7140553ce01a73ddd0bad30d173a14aa1614ee208b01f7a165969aefdc00.exe

    • Size

      1.1MB

    • MD5

      a00366a3483d1d632223d68c8e6e3f15

    • SHA1

      9d3e8a5526c15408d28ad1af21937020accc5ff2

    • SHA256

      14bf7140553ce01a73ddd0bad30d173a14aa1614ee208b01f7a165969aefdc00

    • SHA512

      8a2579d06efaa4f49e73b50993ddd15728639c3ec73a743939cfcb1e2b46c899386719a0c83aca55891b54d7e639e9099254bc35a4ba1f21f6346934c93a5a24

    • SSDEEP

      24576:6oJkNU2vAuIan9AuMyLSisyKuMYc8u5XMxoZgnb3iPwwxA5MY:6ouFAuB9AuMyLSglMYdCMxoiboU

    Score
    10/10
    agentteslasnakekeyloggercollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks