Overview

overview

10

Static

static

3

573df9fa92...61.exe

windows7-x64

10

573df9fa92...61.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    909d39242d301cc07ffc6196bb487939.bin

  • Size

    676KB

  • Sample

    231011-mdsbgsge3s

  • MD5

    58967520eb02c08670db8cf4962f95ab

  • SHA1

    cda1be6ef24ddc7be1a3f8f43ac6bb230db29e22

  • SHA256

    772058f99994a6f1fb201dc4cbfc4f566a19183c87d6dc83a8ed4957b6831565

  • SHA512

    9e74c0ee5f897a76095e1a84ff76d9ba1c7c69aaaac8b1fcf209e0a3a02c40d66b680fcf722592968bc49a2f0dfbca10f730d35a3f9b3ed576d2e9f6af0ae9c2

  • SSDEEP

    12288:8KzKjM+NP3LLEqABuT3Eq1XS9fZ8QdybZun9bcBBT/rOiEnA/iJbs8EoIKkR:8KiM+V8Ho0QXS9f+Qdn90B/riA/iJbs9

Score
10/10
agentteslasnakekeyloggercollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.product-secured.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    575K5(MaZro2575K5(MaZro2

Extracted

Family

agenttesla

Credentials

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.product-secured.com/
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    575K5(MaZro2575K5(MaZro2

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.product-secured.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    575K5(MaZro2575K5(MaZro2

Targets

    • Target

      573df9fa921ac9c03d681fd60ca7488df873ff8d1d5f6f8a11807e3189af4761.exe

    • Size

      1.1MB

    • MD5

      909d39242d301cc07ffc6196bb487939

    • SHA1

      1025f0ad973b6423d58022fc50059fbfd1eac425

    • SHA256

      573df9fa921ac9c03d681fd60ca7488df873ff8d1d5f6f8a11807e3189af4761

    • SHA512

      b6cfbba8ac398292e4d048c5c648cb85ae20bbf804829e36f92d7a1206720eff20c5f2fbf771c1d79cca9c8de9c143b7cc0f84588dde072632f364c452de8016

    • SSDEEP

      12288:Ow7KEJ0aIgurDVQjqREzY3O8tA3QHNu6m15r1/jc/2eUsD:NKE8VQj+EU3Q3QtHm/5/A/XUsD

    Score
    10/10
    agentteslasnakekeyloggercollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks