Overview

overview

10

Static

static

3

2206a8ec94...2b.exe

windows7-x64

10

2206a8ec94...2b.exe

windows10-2004-x64

10

2266d028b4...34.exe

windows7-x64

10

2266d028b4...34.exe

windows10-2004-x64

10

2416ea6bdb...16.exe

windows7-x64

10

2416ea6bdb...16.exe

windows10-2004-x64

10

3811e99f20...69.exe

windows7-x64

10

3811e99f20...69.exe

windows10-2004-x64

10

4376b18805...8a.exe

windows7-x64

10

4376b18805...8a.exe

windows10-2004-x64

10

4655d3e893...cb.exe

windows7-x64

10

4655d3e893...cb.exe

windows10-2004-x64

10

832c205e98...19.exe

windows7-x64

10

832c205e98...19.exe

windows10-2004-x64

10

901a8b668a...c0.exe

windows7-x64

10

901a8b668a...c0.exe

windows10-2004-x64

10

929a61aec3...d0.exe

windows7-x64

10

929a61aec3...d0.exe

windows10-2004-x64

10

995f49454c...91.exe

windows7-x64

10

995f49454c...91.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    126-135.zip

  • Size

    6.3MB

  • Sample

    231101-plqtqsab24

  • MD5

    4285a25a9dd03d927838ba6b1631cd91

  • SHA1

    259f84a75ce7b8196b1ff1756f1817d6a2713d4f

  • SHA256

    a2c0c5b0b65a7b3f50e2df673d48731b53acb639de3cab0c6575ea7581a05151

  • SHA512

    67f0b2a03ad1104bc696499accff0e8c7c4363ce1217553cf21667c790efddeed0f48c6ed73624a449908d0f29c404d9f37b54e135b7072c6175d46fb61c4a02

  • SSDEEP

    196608:bK6J9TzegbHQHThRVOwklHqjR9tqfVJOBng9NS:bK6J1egbwVRVOwVR9tmK1g9c

Score
10/10
agentteslazgratcollectionkeyloggerratspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Family

agenttesla

Credentials

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.dogulumetal.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    DMaslak2950**

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.scahe.co.in
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    scaheavy@12345

Targets

    • Target

      2206a8ec9412f21394074c440d06362b.exe

    • Size

      850KB

    • MD5

      2206a8ec9412f21394074c440d06362b

    • SHA1

      5ac0a7331f26c12d7a11da3b15322dd8f3d086b7

    • SHA256

      46ecdfebbc4147cb426f5db7c417f6f09ff07e214825c2b92c416579580ba345

    • SHA512

      22ac3ad3cf39de1006947a0f9659dc4e418afad277347d1c5bb90f6065705fed51c02af5c97a7aafc21b6f8b43e3870d95ccc2cd260d0476ad3e3906b66823eb

    • SSDEEP

      12288:n9xcvG73htU7/2eQ1x9+PI3/Nbmsrw4lAqES3Ih1K751Z8WoOOutc3n026uOOzqD:n9xgG1tCueiBtgq13977Z83R3cuB2PM

    Score
    10/10
    agentteslazgratkeyloggerratspywarestealertrojancollection

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      2266d028b418dd59fb82994ae4557134.exe

    • Size

      677KB

    • MD5

      2266d028b418dd59fb82994ae4557134

    • SHA1

      080cb616975988a1d41f085648ed76b86171b07e

    • SHA256

      f8b91735d9157e4c518afbab6e6a4f87513002ea869da820708486b9cb704b71

    • SHA512

      ccefc1cda265370761b9666f791119e212cbd027048f46351224d7333448f186822f843cc18ab7f7ae7e2c68b34f63577c44411697203927d27012b5c864961d

    • SSDEEP

      6144:30Zqvy0o79RRcje4xB2bX7A6BzgE7XSPVTyrer/AwIczT7XzEhh:kZqveRR0NxAtBzgErrekw/j

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      2416ea6bdb302537f7e7f8161cbc6116.exe

    • Size

      694KB

    • MD5

      2416ea6bdb302537f7e7f8161cbc6116

    • SHA1

      2bbf24f529a399fe277015dfda78cf052d4411da

    • SHA256

      bb8b56e0c104a78e8282138ef5c215f1fb1288d27f95f35a048458dfd206a7c3

    • SHA512

      971707118b9b6ac83db74c69dbf4f347cbae4caa4285ed45dfd86bd4f16e02c86ae0516d5c00d58a9a6236ea23c7d190b9c28c22f1ab074dd62d213145706b2f

    • SSDEEP

      12288:RYE6qWjsZ5uEd2iNmG1Zb+4fOxl36M9v2mf3GDyHYh6lIWvebsODlt:RYE6/W5X1dSGOvR9Ge4h6l5veo

    Score
    10/10
    agentteslazgratcollectionkeyloggerratspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Drops file in Drivers directory

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      3811e99f207240971d637064c8796e69.exe

    • Size

      355KB

    • MD5

      3811e99f207240971d637064c8796e69

    • SHA1

      c69549b08e786f767e8474e201b08e1d324f1ca1

    • SHA256

      4956c7edc7eb8765ab322d700fb15d2d5132f1f54fec7c1a46b6e7da78e81b5c

    • SHA512

      012cd19102e841b3df5de816853ff156c0a33bc6eedfef131656f3bced27e4150ee8c46bb9abbe8d37ed145ca281fd8f012062c7e65f1b44e5b051219791074a

    • SSDEEP

      6144:gky3ziMeSMLYa4phyX8s2s8xkLVNogLXax1vj5:l2uMeSMLCbsGkLVNTXW

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan
    behavioral7behavioral8

    • Target

      4376b188058ea90fceaa3d49caa7dd8a.exe

    • Size

      752KB

    • MD5

      4376b188058ea90fceaa3d49caa7dd8a

    • SHA1

      339d21a0d00f4662f8bd8a83c009a9bf6af92870

    • SHA256

      50ac458169dd382176f04c26b8538ce829c903bf60cc2fa5ca7681feba1a7a98

    • SHA512

      1111eb47fb1f3148e05238b9778ac943c2675543b3a67c36cae35a217b443d539de832e235b725bbf51c5fc55a7deebd8014772f44b920a625800ab33f30eeb3

    • SSDEEP

      12288:jBTmC0lWxMzIHREJVk/bq4izoW/m7s2vVRjUEJ94kcWZh5SS/JXEnrvzmVictF+E:BmflWxMiQW/O4ue7fVRjUEHYSLUnr7Ar

    Score
    10/10
    agentteslazgratcollectionkeyloggerratspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral10behavioral9

    • Target

      4655d3e893aa264e7c15edf3893362cb.exe

    • Size

      805KB

    • MD5

      4655d3e893aa264e7c15edf3893362cb

    • SHA1

      6826877cb2f7bc8e74990a39ec531ac45a006307

    • SHA256

      bc1415731a9741b45e3cf26d00860b2e3ebff43550c7926d4dbf9ef06ad0058d

    • SHA512

      35b3c19cfc07170e05ee3cdf19a8a426b43c5c91b2c397db1aa19a25d1de3cf4787691b3fb3cc0c43afbaf0f0f8f91ae23dd90fa676597d946c6e88b88f9e912

    • SSDEEP

      12288:mbcvG73htU7/2eQ1x96+hZbMJQWVrG+LW3VVG8Q1/Ee0as0h:KgG1tCueiVZKQ0K+q0N/Ee0B0

    Score
    10/10
    agentteslazgratcollectionkeyloggerratspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

    • Target

      832c205e98869a4743d66848d2e3c519.exe

    • Size

      1.1MB

    • MD5

      832c205e98869a4743d66848d2e3c519

    • SHA1

      6034be61cf10462fbf4c2ba8d0201a39315cba6f

    • SHA256

      52a48aba16c96af863ce4324d72fcbcb5becbffe00606059bd1e5ade83cb2ee2

    • SHA512

      abc257f257b6a4b04a63d2d548897d50bc1a70ea185499651f6d1a5ddbc82b2b02928ec0d644b0f1e89ecd9ad9f24410d844959bb15580efdfd6f2be279e1870

    • SSDEEP

      12288:xo0ZKHdWaClVU1e/1/yMLHNmirb3FQqUCd2e5M1YFqTpEh1:xfZmX1e3zXrb1QqUCRqTp+

    Score
    10/10
    agentteslazgratcollectionkeyloggerratspywarestealertrojan
    behavioral13behavioral14

    • Target

      901a8b668a797004226658495f79f9c0.exe

    • Size

      781KB

    • MD5

      901a8b668a797004226658495f79f9c0

    • SHA1

      04e2d3790fa8c0eee9193cc680c5ad6b63e0624e

    • SHA256

      8c87e92f4606b57b1292de938a18cc24e181b521092b17800f8909eb9e135c13

    • SHA512

      25777321b513f8e7704262d2a3f4b460b879024ed03559935352ff5590958d65b549de74a9b577d2b40c21ad1f39cd5b5dec798c2e13303a26b0cb31d3e16ffd

    • SSDEEP

      12288:BN6fNa2iNx5LbzIu9+r932acXnI7UJ6eqoifRv1ZmOTKQL2X0E8da2bg4aQ:ga1j5LA9oI7UR9WZmOTKQL2X0pLgm

    Score
    10/10
    agentteslazgratcollectionkeyloggerratspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

    • Target

      929a61aec3ce01dec7206d71e13948d0.exe

    • Size

      539KB

    • MD5

      929a61aec3ce01dec7206d71e13948d0

    • SHA1

      f3579f4fc8d034a86af10854af181ad2ce2793fc

    • SHA256

      c681aba8b1e25e102eb2314ef0a8040a102ba4a1843bdfe50cfafda2f82ce4ee

    • SHA512

      cc275f523b0a184e079acd5d359f920ccca32807cd5212fbc6d567c3d33f10cd9ed206308cd85c2cca279c279080b1ebeebced52c8717e46b0bb51ab22da44e4

    • SSDEEP

      12288:Y//BV3YBQKTkZqlvGV7MwH7Hc/ZBXmU6jM:M3i1HvGV7MwH78BKA

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan
    behavioral17behavioral18

    • Target

      995f49454cab4d1a79a73620a454a191.exe

    • Size

      1.4MB

    • MD5

      995f49454cab4d1a79a73620a454a191

    • SHA1

      fab9bb3b3d54b5b5fd2dda76469c00820d510439

    • SHA256

      42a79ea60f01d619dd9886f6e37745bfd8783a6c85bcab51b76ee3e2c8e4a26c

    • SHA512

      e7e6f74c38b086afcc823349dbedc4af7c28da00fe966fc7d049705cb86877aeca7e51c657bd7b9f97e5dd1132341c4d09190348b0d67374b9f59e1cbdb559a4

    • SSDEEP

      24576:5PxMfmw1AXiS0rMaqERwrH4wOVfa+vUe/I7YcMUigeVPNDo7zjdrGTjjefU:QRai1vfC0phQ7YcMUigeVlDAzpregU

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral19behavioral20

MITRE ATT&CK Enterprise v15

Tasks

static1

Score
3/10

behavioral1

agentteslazgratkeyloggerratspywarestealertrojan
Score
10/10

behavioral2

agentteslazgratcollectionkeyloggerratspywarestealertrojan
Score
10/10

behavioral3

agentteslacollectionkeyloggerspywarestealertrojan
Score
10/10

behavioral4

agentteslacollectionkeyloggerspywarestealertrojan
Score
10/10

behavioral5

agentteslazgratcollectionkeyloggerratspywarestealertrojan
Score
10/10

behavioral6

agentteslazgratcollectionkeyloggerratspywarestealertrojan
Score
10/10

behavioral7

agentteslacollectionkeyloggerspywarestealertrojan
Score
10/10

behavioral8

agentteslacollectionkeyloggerspywarestealertrojan
Score
10/10

behavioral9

agentteslazgratcollectionkeyloggerratspywarestealertrojan
Score
10/10

behavioral10

agentteslazgratcollectionkeyloggerratspywarestealertrojan
Score
10/10

behavioral11

agentteslazgratcollectionkeyloggerratspywarestealertrojan
Score
10/10

behavioral12

agentteslazgratcollectionkeyloggerratspywarestealertrojan
Score
10/10

behavioral13

agentteslazgratcollectionkeyloggerratspywarestealertrojan
Score
10/10

behavioral14

agentteslazgratcollectionkeyloggerratspywarestealertrojan
Score
10/10

behavioral15

agentteslazgratcollectionkeyloggerratspywarestealertrojan
Score
10/10

behavioral16

agentteslazgratcollectionkeyloggerratspywarestealertrojan
Score
10/10

behavioral17

agentteslakeyloggerspywarestealertrojan
Score
10/10

behavioral18

agentteslakeyloggerspywarestealertrojan
Score
10/10

behavioral19

agentteslakeyloggerspywarestealertrojan
Score
10/10

behavioral20

agentteslakeyloggerspywarestealertrojan
Score
10/10