Overview

overview

10

Static

static

1

8d131fafbc...b6.xls

windows7-x64

10

8d131fafbc...b6.xls

windows10-2004-x64

1

Resubmissions

25/02/2024, 13:51

240225-q54elsdh8w 10

25/02/2024, 02:18

240225-crr8jaah5s 10

25/02/2024, 02:13

240225-cnjf8aaa62 10

Sharing

Copy URL Twitter E-mail

General

  • Target

    77d965dd6195cc14fbfdbbbf7a86b7ba.bin

  • Size

    310KB

  • Sample

    240225-q54elsdh8w

  • MD5

    f842e3919582f59c81f3c372c2b489b7

  • SHA1

    d71f886e2eca0471fd6052b6264274dafffcfa9c

  • SHA256

    a8b0373970bbf25999f166d78eefb4cd1f1d7939783dd1ade6e48f2a091e1c16

  • SHA512

    8875bcc59d5d9129b6cb8a09e0ae46e5fa82950a1b5bb362ba42b4806c3bbe34fea8951013fd2eb9fbf0c5d04e74380693c3c1ca7ecfd25a44e9f57f9c03dd4b

  • SSDEEP

    6144:7xzKAMag07cDSUKsAMW55lLav/hOdIPC/5TyZozgEwMoozUBUhV:7xGAMagLPKsFC2OdIKxtzTwpSDhV

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.elquijotebanquetes.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    4r@d15PS!-!h

Targets

    • Target

      8d131fafbcc174ab6d33a73b0e7cbb72060a403cac403234578acfa762cef7b6.xlsx

    • Size

      332KB

    • MD5

      77d965dd6195cc14fbfdbbbf7a86b7ba

    • SHA1

      7e796af62e94214f14a7630abfba485187b3c7de

    • SHA256

      8d131fafbcc174ab6d33a73b0e7cbb72060a403cac403234578acfa762cef7b6

    • SHA512

      4b44d491fd706b8ab1d748d6689c58f9b2cc752990146cc696d3239b135dbc04495b54725e0ebfeea4d3d8f0d84cc3efa4872a473b1c171fcacbfb95eda1e0f3

    • SSDEEP

      6144:FVqYskzvCp4sJgDF1bqGHBMixiMK6G+ZFrTLOCii/D8Ug5PXYy9:FMYxbCfgD/bqEpozwjTLOC7D8DX

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Blocklisted process makes network request

    • Abuses OpenXML format to download file from external location

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks