Overview

overview

10

Static

static

3

rev_new or...df.exe

windows7-x64

10

rev_new or...df.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL Twitter E-mail

General

  • Target

    rev_new order2024pdf.exe

  • Size

    532KB

  • Sample

    240228-gqapbach42

  • MD5

    1a81a4bbb804f4d4c3567b8f4b15f1fd

  • SHA1

    7c89ec25ff92f9ce5919eaae654bdcfa342b99db

  • SHA256

    d1ccb1bacee1f1f9662a7a17575937a05111fef02d0756cb29c538c8e2b45022

  • SHA512

    7602cd9a3772d95ca86e3e3002d45d103d054c6d2936749ca1dbd6f456fc8df809300bee9e3e8b5911e2c6de249bd7a6751118705461ec3a9ec1f02798bb270d

  • SSDEEP

    6144:WGpoY5A5QA2vVVnSNMJu+V1wv0ZlDeG4dCJP2+8HP778cpm4VHXT11d9z74Mm8NV:WGzEt2rKHcfe6JH05meXT1Lh7OeLpT

Score
10/10
agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.myhydropowered.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    nW5AoStmqtxtXpA

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      rev_new order2024pdf.exe

    • Size

      532KB

    • MD5

      1a81a4bbb804f4d4c3567b8f4b15f1fd

    • SHA1

      7c89ec25ff92f9ce5919eaae654bdcfa342b99db

    • SHA256

      d1ccb1bacee1f1f9662a7a17575937a05111fef02d0756cb29c538c8e2b45022

    • SHA512

      7602cd9a3772d95ca86e3e3002d45d103d054c6d2936749ca1dbd6f456fc8df809300bee9e3e8b5911e2c6de249bd7a6751118705461ec3a9ec1f02798bb270d

    • SSDEEP

      6144:WGpoY5A5QA2vVVnSNMJu+V1wv0ZlDeG4dCJP2+8HP778cpm4VHXT11d9z74Mm8NV:WGzEt2rKHcfe6JH05meXT1Lh7OeLpT

    Score
    10/10
    agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      4add245d4ba34b04f213409bfe504c07

    • SHA1

      ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

    • SHA256

      9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

    • SHA512

      1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

    • SSDEEP

      192:VjHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZv0QPi:B/Qlt7wiij/lMRv/9V4bvr

    Score
    3/10
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks