Overview

overview

10

Static

static

3

QUOTE DOCU...DF.exe

windows7-x64

10

QUOTE DOCU...DF.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    QUOTE DOCUMENTS_20240511 PDF.zip

  • Size

    601KB

  • Sample

    240125-tdwr8sabc9

  • MD5

    4e70462fa560292704e02b507846a9d8

  • SHA1

    26e2914a35a4ab5d2784e28217c065241967546b

  • SHA256

    6ffaaebb19875b9595f10244b5f4511620da8ce6d554c86bd9c00308b28a0c37

  • SHA512

    ae9bdcff74e8dba732124cf0c9cd95271061f3835c3e20adb3621560bda2d88bbd327901f6326b8da7a1cef22d537481291d2c82316469d621da97b687a9a664

  • SSDEEP

    12288:UWEwy1JD2V2x5S+ymUYUwR8RzuxUW1JnUmo/TaJpdvTKeT0QEkR:21qVA5S+ymr8QxUW/UmPJTG+qkR

Score
10/10
agentteslakinsingkeyloggerloaderpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.coperwire.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    H,)c,gn[z3QW

Targets

    • Target

      QUOTE DOCUMENTS_20240511 PDF.exe

    • Size

      619KB

    • MD5

      a02c28ae52f16981e6420d7871fd437a

    • SHA1

      2d66f9180a97b501b67d481a03d28249c8c86911

    • SHA256

      6f932d1404a384f3e5d190bcde1c819fb7a50daebabdd4c0384a65cb4fcb00de

    • SHA512

      eca7ec594689ba6788ceb06c8d0c1acc22a6b112795fb2220ebfb31ec032014a8aa89f6300e6a38e311f4672c2da6260df2b4f5416fbdb97ad87cdce9f4a7282

    • SSDEEP

      12288:NiU3YSTvgxVS+8lfDTjshLVNQ5GKLmKyPn+KhaJxdhTKeTb+C7Sj:oJ6SVS+85/8RNMbLm7+KAJbk+b/7Sj

    Score
    10/10
    agentteslakeyloggerpersistencespywarestealertrojankinsingloader

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Kinsing

      Kinsing is a loader written in Golang.

      loaderkinsing

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks