Overview

overview

10

Static

static

3

SKM_C33501...24.exe

windows7-x64

10

SKM_C33501...24.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SKM_C3350191107102XXX024_1.rar

  • Size

    917KB

  • Sample

    240125-vwzghsbec6

  • MD5

    aa3e4ee5dd62b035e63aaeca335d9dc5

  • SHA1

    5bfdd9bedaaae58bfc78e709acc75db383f5d706

  • SHA256

    f1845d4ab1ddb371b85bf29f0079deeb05265b940230f18840c37957f5cf084d

  • SHA512

    06d1377f437734e841333bcbcb382283d07037e9e6956b39d777469425621d1f42f720c4b8a37e1a83d326dab901c64e39106c6c23e68f779c07d8be9a01658e

  • SSDEEP

    12288:wSVOul3PU9+DYIW13o+HfB+O/dkNcei2cqfbMl48Y13HdxD++zuXmn02vG17lS4t:wSIuNEPH5+qFujMW8gXd98mni784AAxz

Score
10/10
agentteslakinsingzgratkeyloggerloaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6632122066:AAE29XGsmdODIClM9z0ljCY_v_-OdAjdPOM/

Targets

    • Target

      SKM_C3350191107102XXX024.exe

    • Size

      1.7MB

    • MD5

      d5249a2a4ede78b1ff3799e6c8b0b0cc

    • SHA1

      d0e4ee560dc2e4a5d71b8c1c3e1626541dafb399

    • SHA256

      a6a4e8b6276ff31b64a3c12858ca9c231972a8c0f12a89c01b4f32d2b95ed200

    • SHA512

      96f65962bace449806e2d522e627ade157327719564e5738473d824334fa571f1aadfbfb3ce4259f92f6636a2ce3cd2545b87b364722955c8cf2d0f0dbe1c927

    • SSDEEP

      24576:VEn+4Y9qBOsb/B9RJ4iju8F4WhH/ks5FDV1Q/JZeP03gus:VE+4YkOAB9RJW8F4M/kKFDVwJZ53C

    Score
    10/10
    agentteslazgratkeyloggerpersistenceratspywarestealertrojankinsingloader

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect ZGRat V1

    • Kinsing

      Kinsing is a loader written in Golang.

      loaderkinsing

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks