General
-
Target
Para Transferi Bilgilendirmesi-dekont.exe
-
Size
893KB
-
Sample
231212-jnfhwsafb7
-
MD5
21d1df1da2e98a9ab9268712b8448e84
-
SHA1
37c3233503068ba139bddcd9569ebaa068265590
-
SHA256
a6aecca7d8f0cf861ae32b0ce54822e1d3c82e94685861b130c842f602b9d7db
-
SHA512
b6eda1358566719b0bd5923caad17d3f678b816eff8bc613a1930ec0f83fe8a4ea65194a15ebf2fb1458b8889b369483e19107eac955e0ea0c380ff3c456bd63
-
SSDEEP
24576:K5xolYQY65XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXA:dYkXXXXXXXXXXXXXXXXXXXXXXXXXXXXQ
Static task
static1
Behavioral task
behavioral1
Sample
Para Transferi Bilgilendirmesi-dekont.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
Para Transferi Bilgilendirmesi-dekont.exe
Resource
win10v2004-20231127-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.aksumer.com - Port:
21 - Username:
aksumerc - Password:
211116.kS*-
Extracted
Protocol: ftp- Host:
ftp.aksumer.com - Port:
21 - Username:
aksumerc - Password:
211116.kS*-
Targets
-
-
Target
Para Transferi Bilgilendirmesi-dekont.exe
-
Size
893KB
-
MD5
21d1df1da2e98a9ab9268712b8448e84
-
SHA1
37c3233503068ba139bddcd9569ebaa068265590
-
SHA256
a6aecca7d8f0cf861ae32b0ce54822e1d3c82e94685861b130c842f602b9d7db
-
SHA512
b6eda1358566719b0bd5923caad17d3f678b816eff8bc613a1930ec0f83fe8a4ea65194a15ebf2fb1458b8889b369483e19107eac955e0ea0c380ff3c456bd63
-
SSDEEP
24576:K5xolYQY65XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXA:dYkXXXXXXXXXXXXXXXXXXXXXXXXXXXXQ
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1
-
Modifies WinLogon for persistence
-
Modifies visiblity of hidden/system files in Explorer
-
Modifies Installed Components in the registry
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1