Overview

overview

10

Static

static

3

BILL COPIE...ED.exe

windows7-x64

10

BILL COPIE...ED.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    BILL COPIES FOR THE CARGO LOADED.rar

  • Size

    634KB

  • Sample

    231212-pt4essdaan

  • MD5

    2b14337a82650a947f648a1a32ece518

  • SHA1

    e014952b3fc108ca10d9ad0a537b945cac91e9b2

  • SHA256

    61c17cd9a0cb97bd062d3477a63c62659c111a6a29121820ae9cf5f391dbc5fc

  • SHA512

    89f0dd3d7a610ac94faae60a4fd35bee8cabfd7398508dff8f16378f7e555ffc2e748f38ca1b593c5fa28a3065d990f2061a83899187254c48941dc584e0a2bb

  • SSDEEP

    12288:vcoLvegiPGA/0DKpLefOQ3QfXNcaPxJI+wPavSnu27TXviQ9QYwa8SWE:vceiOmcBMWaJJI+TauwX6lda9

Score
10/10
agentteslazgratkeyloggerratspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.mercuresurabaya.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    2ffPmXZ_5A{G

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.mercuresurabaya.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    2ffPmXZ_5A{G

Targets

    • Target

      BILL COPIES FOR THE CARGO LOADED.exe

    • Size

      698KB

    • MD5

      b1481791fc782040d8533019a3095e57

    • SHA1

      4f6699140313855dbe364831fbbaf5e794aac9d6

    • SHA256

      9d687a4e898291e7635a79e45f7cb5cd2f987dcd6f909d495e83dac2e1fd0cfc

    • SHA512

      d853b650704ad89f82df75e581dc9e53b0b9fd8749a14b2a037dde4d3b8f5a105c37127b836c3f38011b0e5984b8f78537ba2f4ab64304a7b3ce2a6e23e0c514

    • SSDEEP

      12288:yw3IU8S6eUdvSTznalJakk9uUXKsU3ky+pJ2frjrnGbW9fTbKYCNjPVHdys9bzs7:3ItSAdj3k9rKBPrGi9bbEPVHn5

    Score
    10/10
    agentteslazgratkeyloggerratspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks