Overview

overview

10

Static

static

1

3bc0bb886f...30.exe

windows7-x64

10

3bc0bb886f...30.exe

windows10-2004-x64

10

$_20_/skar...en.ps1

windows7-x64

8

$_20_/skar...en.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3bc0bb886fcfd4fa94d9d6f6d12151f45bca11d6fdf630524963d995e0598e30

  • Size

    852KB

  • Sample

    240327-cfrsmach8v

  • MD5

    5fe720f1efe14727767d7c322cfd1009

  • SHA1

    83a403d0684334f376e57e69864b72432c166116

  • SHA256

    3bc0bb886fcfd4fa94d9d6f6d12151f45bca11d6fdf630524963d995e0598e30

  • SHA512

    519d23d0c3b51de99cfdf02de50aea6e589e6b3153dd223a34621b731bc10dbc15bdabcff9cf013bb0704cbb9ac2abfd931000688b5a565a1372da937b4806f0

  • SSDEEP

    12288:CQ8SFbtGEC8GVoOB/En47nyMjcJHOhS3uERdg1OuGPH:VbFbtDGDB/Hy+KOhd8

Score
10/10
agentteslaguloaderdownloaderkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    wmho ikiq acak drub

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      3bc0bb886fcfd4fa94d9d6f6d12151f45bca11d6fdf630524963d995e0598e30

    • Size

      852KB

    • MD5

      5fe720f1efe14727767d7c322cfd1009

    • SHA1

      83a403d0684334f376e57e69864b72432c166116

    • SHA256

      3bc0bb886fcfd4fa94d9d6f6d12151f45bca11d6fdf630524963d995e0598e30

    • SHA512

      519d23d0c3b51de99cfdf02de50aea6e589e6b3153dd223a34621b731bc10dbc15bdabcff9cf013bb0704cbb9ac2abfd931000688b5a565a1372da937b4806f0

    • SSDEEP

      12288:CQ8SFbtGEC8GVoOB/En47nyMjcJHOhS3uERdg1OuGPH:VbFbtDGDB/Hy+KOhd8

    Score
    10/10
    guloaderdownloaderagentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $_20_/skarpskytten.Sne

    • Size

      60KB

    • MD5

      4e54c10f7cd7930f6c3233586843a34b

    • SHA1

      413600b893318c6ef5eca31610065932da025813

    • SHA256

      d4cb9851ac7b4d628788e5c8ab238d992105d7818ee7d126c490452476774775

    • SHA512

      891b9c024af8fba3497b2b17a2ad8dd3c5e0adde83bc787905a577b09d632a257f068fff1ad90c82f7115f595c249d4c7fcc9d51c946fcc0b42f60ea87e06221

    • SSDEEP

      768:hyOqx/TlpDJhVUY4sgJEfRKIFfnJXYX5fB/+J8bmBmtCPQWOSngoShfk0Ojo1tf1:WtLHOPJgLeX5ZegyQVV7v71jxMT4

    Score
    8/10
    persistence

    • Modifies Installed Components in the registry

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks