Overview

overview

10

Static

static

3

tmp0j754zx0.exe

windows7-x64

7

tmp0j754zx0.exe

windows10-2004-x64

10

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

systemmssi...es.ps1

windows7-x64

8

systemmssi...es.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    tmp0j754zx0

  • Size

    627KB

  • Sample

    240327-cey6bahh74

  • MD5

    c0171e72a0f15b0f96fd44a248a2a898

  • SHA1

    d5d97cc94e6b267ed9b7151bf56c52b0679bbe78

  • SHA256

    c4213933d7d0d0e76edb873e4991a97e92b3dbc62a8b39e70ae4eba8ab908906

  • SHA512

    c89bfd238b8885b5e57afebb69d26d35c7e93fbcd34724edb452de7841d03334050edf63f3cdd540357197d55ddd4ed29ba7888505a6b485bd2149cdead5188f

  • SSDEEP

    12288:1z64+JKNOfpPP78q1eJX1kbBuqcM0aYjP6gG:I4KJL84e1IBh6aY3G

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.legodimo.co.za
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    IFfo%142#

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      tmp0j754zx0

    • Size

      627KB

    • MD5

      c0171e72a0f15b0f96fd44a248a2a898

    • SHA1

      d5d97cc94e6b267ed9b7151bf56c52b0679bbe78

    • SHA256

      c4213933d7d0d0e76edb873e4991a97e92b3dbc62a8b39e70ae4eba8ab908906

    • SHA512

      c89bfd238b8885b5e57afebb69d26d35c7e93fbcd34724edb452de7841d03334050edf63f3cdd540357197d55ddd4ed29ba7888505a6b485bd2149cdead5188f

    • SSDEEP

      12288:1z64+JKNOfpPP78q1eJX1kbBuqcM0aYjP6gG:I4KJL84e1IBh6aY3G

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      b55f7f1b17c39018910c23108f929082

    • SHA1

      1601f1cc0d0d6bcf35799b7cd15550cd01556172

    • SHA256

      c4c6fe032f3cd8b31528d7b99661f85ee22cb78746aee98ec568431d4f5043f7

    • SHA512

      d652f2b09396ef7b9181996c4700b25840ceaa6c1c10080a55ce3db4c25d8d85f00a21e747f9d14a3374be4cdd4ea829a18d7de9b27b13b5e304447f3e9268fa

    • SSDEEP

      96:L7fhfKaGgchPzxK6bq+pKX6D8ZLidGgmkN538:RbGgGPzxeX6D8ZyGgmkN

    Score
    3/10
    behavioral3behavioral4

    • Target

      systemmssig/Uigennemsigtiges.Pro

    • Size

      58KB

    • MD5

      3c4c7decc6f175d87765a3e45b653749

    • SHA1

      e9d3c7db2f91673fed217511890faaa5f049512d

    • SHA256

      e3aaf138e1f9c9d0247633ab3042583bc73730e32d552331d818ac4a2666e828

    • SHA512

      e5862e7c8294e3d1c1c0792434157bdf3ff041d41264ffa888ef51d26202e0a130e23959e543003aae478e933b2274f918b7b6ff066b11523d0f95fffeb7a75d

    • SSDEEP

      1536:rUgawnJYmeXBUJjRWm9Ky598waGjU3z6s:ggL6Usm7CP3X

    Score
    8/10
    persistence

    • Modifies Installed Components in the registry

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks