Overview

overview

10

Static

static

3

PO19223403.scr

windows7-x64

7

PO19223403.scr

windows10-2004-x64

10

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Pointment/...es.ps1

windows7-x64

8

Pointment/...es.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PO19223403.z

  • Size

    995KB

  • Sample

    240213-nb5dpshe89

  • MD5

    060167c99a02bd7d9dd048445ff20dc5

  • SHA1

    cd31675b559d8aff9b3429f5515ff856efadc38a

  • SHA256

    d73f8f8dc88a35ebc1a1876433c6daa4f8cb40b5b34c3e2aed3343831438b9e6

  • SHA512

    2b6a2a20170309ba0c424bb4565180a8f35078ce3c8e8dfdd28fdaa3c72a58e5c4422b3f1d34e724a17758e2adc9e8c0926166306c06f0529f0acc30629316b5

  • SSDEEP

    24576:tbqli/cAW19xFCfjHLwp374MAtCUCRtr8O+10DZe9YLn:tbpW1RCrHcF7TUCR60trn

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.hardblack-architects.co.za
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    computer22@

Targets

    • Target

      PO19223403.scr

    • Size

      1019KB

    • MD5

      1310b0c86f99ed198cfd1802cfabe1e6

    • SHA1

      f9da789a0e49f7f0332c21e65f3f9fb746cfb82a

    • SHA256

      bbdb2beee29b5cd7d145cf722ef633432ce5c229a9eba8048eb747e4fc10d5bb

    • SHA512

      076eb43fc662d8a27a5528407bd9f42d93e916034cfd13d10c32c3e98573571fd232a26d04ac0a8f991f0d33361a532e2bb24f7b1752ee9c2abd5f47a13603a5

    • SSDEEP

      24576:+sEChyXOAaCr9Ar9ssls+qRMcePSu41y4I7c9Ek+dv/h9Q8UnSBtv4YyU06:+mIimAJnsvp2IA/+x+d/ha8USBVf

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      c5b9fe538654a5a259cf64c2455c5426

    • SHA1

      db45505fa041af025de53a0580758f3694b9444a

    • SHA256

      7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7

    • SHA512

      f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa

    • SSDEEP

      96:xr7fhfKaGgchPzxK6bq+pKX6D8ZLidGgmkNL38:xxbGgGPzxeX6D8ZyGgmkN

    Score
    3/10
    behavioral3behavioral4

    • Target

      Pointment/Kreditgivninger/Campanulous/Blaamejses.Hov

    • Size

      52KB

    • MD5

      8ff2c638f7da5e382ba3994d4ea5a0b9

    • SHA1

      c59f7e6b5fbdd2d79ec8c590e62f7b84e65c842a

    • SHA256

      838c2ef819f207ca24853cfcb596d83eb0ebb070e0593c999c0eb2f91a3433e1

    • SHA512

      d2084adba9817e3bfd4d09698f110c4ee2ca590864fbdfd7c2f815069df10093e853b80a7c575c4a1127c9f90b507f2df7c6ca371440ca45c984c7f585f54527

    • SSDEEP

      1536:SzqeFPqg6O6kMyilgFvaxeEuvhS+LmLhvTLYr:SmeFPFiGFyeZjS1va

    Score
    8/10
    persistence

    • Modifies Installed Components in the registry

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks