Overview

overview

10

Static

static

3

509656.exe

windows7-x64

10

509656.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    3a646aad7bdedf631ae7406d819be31b52faa5fe5b1e3d0c26f96a1ad14703a5.zip

  • Size

    661KB

  • Sample

    240315-ck7dwadh8x

  • MD5

    92b1bfdc4bf7a9497d37454f8e75c716

  • SHA1

    24ea66a84d327496faacf9212c1c434543aee751

  • SHA256

    3a646aad7bdedf631ae7406d819be31b52faa5fe5b1e3d0c26f96a1ad14703a5

  • SHA512

    338e81aaf33ace76972189c76f226ce9e9e8d964085d8a7fcdb81dfe3f8119575972d4eabf504d0319fd93de20245419679fad77fb1508b3b26524e038714c1d

  • SSDEEP

    12288:8QIQ2EIkhiJWQyCCHIGie1p7wxSpuspIaAaUBlGCvUrdC:bI5kKWQyHHIGx1wxSpuskBACvkC

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.awelleh3.top
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    QcR_(8@AdfHa

Targets

    • Target

      509656.exe

    • Size

      724KB

    • MD5

      dcaac79baa55279a9d3a68aa8e91e0d9

    • SHA1

      afb34c358919410594233644d507a4a8ad1f967d

    • SHA256

      ea8e979a9bf6fe2e8af35cedb5d639091629a2ce626f1339c7a0a48e3cc39ba2

    • SHA512

      67a4b7a2adca8935cda0e6ee8e05d0652f5549ee436eb93673d886f48354b719977970bed76f65c95b39a614413bc3eae43fb75024d397b2dcb12326826a8c69

    • SSDEEP

      12288:HCsLuMhHwgG3UiJuEULGtIWWCsUDSjfvocPnOVySPf9Okzf:Bo1UCtIWbDSjXbnsVPskz

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects executables packed with SmartAssembly

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks