Overview

overview

10

Static

static

3

docdav20230926.exe

windows7-x64

10

docdav20230926.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    docdav20230926.exe

  • Size

    1.1MB

  • Sample

    231011-rsqtesdb3y

  • MD5

    909d39242d301cc07ffc6196bb487939

  • SHA1

    1025f0ad973b6423d58022fc50059fbfd1eac425

  • SHA256

    573df9fa921ac9c03d681fd60ca7488df873ff8d1d5f6f8a11807e3189af4761

  • SHA512

    b6cfbba8ac398292e4d048c5c648cb85ae20bbf804829e36f92d7a1206720eff20c5f2fbf771c1d79cca9c8de9c143b7cc0f84588dde072632f364c452de8016

  • SSDEEP

    12288:Ow7KEJ0aIgurDVQjqREzY3O8tA3QHNu6m15r1/jc/2eUsD:NKE8VQj+EU3Q3QtHm/5/A/XUsD

Score
10/10
agentteslasnakekeyloggercollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.product-secured.com/
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    575K5(MaZro2575K5(MaZro2

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.product-secured.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    575K5(MaZro2575K5(MaZro2

Targets

    • Target

      docdav20230926.exe

    • Size

      1.1MB

    • MD5

      909d39242d301cc07ffc6196bb487939

    • SHA1

      1025f0ad973b6423d58022fc50059fbfd1eac425

    • SHA256

      573df9fa921ac9c03d681fd60ca7488df873ff8d1d5f6f8a11807e3189af4761

    • SHA512

      b6cfbba8ac398292e4d048c5c648cb85ae20bbf804829e36f92d7a1206720eff20c5f2fbf771c1d79cca9c8de9c143b7cc0f84588dde072632f364c452de8016

    • SSDEEP

      12288:Ow7KEJ0aIgurDVQjqREzY3O8tA3QHNu6m15r1/jc/2eUsD:NKE8VQj+EU3Q3QtHm/5/A/XUsD

    Score
    10/10
    agentteslasnakekeyloggercollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks