Overview

overview

10

Static

static

3

20240306 T...at.exe

windows7-x64

10

20240306 T...at.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL Twitter E-mail

General

  • Target

    20240306 The new order about PO#PW225084YL.50L of 23AW1203A285 2ND SAMPLE ENR xls.bat.exe

  • Size

    539KB

  • Sample

    240307-r5vm5sef8w

  • MD5

    8842b5b5d828d54cac49097f52d5f62a

  • SHA1

    6bbaff55a54b752eca2f57c25e97bbd123597b44

  • SHA256

    b082ab124082817c7a3633f38d75328e0bee32164543987628428cb4c3a26e09

  • SHA512

    73cc6fe86faf67d0655e4c1a3593fd07036541dd8cc7b6f8aafc482905477b9a56fe588e236d4d7eb49e6baa133c8d481ed2b4d4f160529078708890f98f02fc

  • SSDEEP

    12288:akNE2cL3rOolerH9vASyBbbX/MQfe1kfE3xWN:LE2cL7Ool09vUBXX/MQGG+kN

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      20240306 The new order about PO#PW225084YL.50L of 23AW1203A285 2ND SAMPLE ENR xls.bat.exe

    • Size

      539KB

    • MD5

      8842b5b5d828d54cac49097f52d5f62a

    • SHA1

      6bbaff55a54b752eca2f57c25e97bbd123597b44

    • SHA256

      b082ab124082817c7a3633f38d75328e0bee32164543987628428cb4c3a26e09

    • SHA512

      73cc6fe86faf67d0655e4c1a3593fd07036541dd8cc7b6f8aafc482905477b9a56fe588e236d4d7eb49e6baa133c8d481ed2b4d4f160529078708890f98f02fc

    • SSDEEP

      12288:akNE2cL3rOolerH9vASyBbbX/MQfe1kfE3xWN:LE2cL7Ool09vUBXX/MQGG+kN

    Score
    10/10
    agentteslakeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      9625d5b1754bc4ff29281d415d27a0fd

    • SHA1

      80e85afc5cccd4c0a3775edbb90595a1a59f5ce0

    • SHA256

      c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448

    • SHA512

      dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

    • SSDEEP

      192:eX24sihno00Wfl97nH6BenXwWobpWBTtvShJ5omi7dJWjOlqSlS:D8QIl972eXqlWBFSt273YOlqz

    Score
    3/10
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks