Overview

overview

10

Static

static

1

50d062f2af...54.exe

windows7-x64

10

50d062f2af...54.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    50d062f2af11b77ece351cb40bb60ddf80894ccef2faf7dd031235e56873a854

  • Size

    633KB

  • Sample

    240319-b3dzlsdh34

  • MD5

    039dc550d934b9fcf052edb597c88615

  • SHA1

    12b0e0f854d8e8f803c3a422c27210663e7af713

  • SHA256

    50d062f2af11b77ece351cb40bb60ddf80894ccef2faf7dd031235e56873a854

  • SHA512

    7f6d05b67bcd75c29a982f6bcb3c37877d037c94e9f56e59d8338de74d92355ce9c1e2fe8f7302e89c25d438eab94f717f017ab0bcae27156ac7c7c87ef86fe7

  • SSDEEP

    12288:Y7kmn8KAc60WTPVB8W2Jj38iHC5Bk0OdeMe9P1J8pknAR3/cWagRhHkR:YQmnPQDVB8W2J38CCE0Se9P1GgARvcsu

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.qool-point.co.ke
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Hamida2023??

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      50d062f2af11b77ece351cb40bb60ddf80894ccef2faf7dd031235e56873a854

    • Size

      633KB

    • MD5

      039dc550d934b9fcf052edb597c88615

    • SHA1

      12b0e0f854d8e8f803c3a422c27210663e7af713

    • SHA256

      50d062f2af11b77ece351cb40bb60ddf80894ccef2faf7dd031235e56873a854

    • SHA512

      7f6d05b67bcd75c29a982f6bcb3c37877d037c94e9f56e59d8338de74d92355ce9c1e2fe8f7302e89c25d438eab94f717f017ab0bcae27156ac7c7c87ef86fe7

    • SSDEEP

      12288:Y7kmn8KAc60WTPVB8W2Jj38iHC5Bk0OdeMe9P1J8pknAR3/cWagRhHkR:YQmnPQDVB8W2J38CCE0Se9P1GgARvcsu

    Score
    10/10
    agentteslakeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks