Overview

overview

10

Static

static

3

f34c081e10...c7.exe

windows7-x64

10

f34c081e10...c7.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    935e5811eb02289f3fa02f46b6642f52.bin

  • Size

    626KB

  • Sample

    240327-dl46ksed2v

  • MD5

    e133376398aeec512d3cc1348f4d7f09

  • SHA1

    9f222f280030be544a0727040c693f6b4e272b23

  • SHA256

    a8933c00fc25f03482ef3aa833ba9f8f313e7e9373ccb92af573fc20f0dc9959

  • SHA512

    991bc3326a7615046f5009ddd479fcf95b4c0d42d96a596d3b496c04081625d1e9fdf52d0f0b0883323bb05062fd160837c3f970cab2f1ce967c41dc91ca7d4f

  • SSDEEP

    12288:urdH7ZKrjbaTppCaKQ6ZUN43cpz0RDdtyt4BM+LkMGaR/4ST7el8x:nPRaKQ6ZUeKzp4uOtDASCla

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.normagroup.com.tr
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    Kingdom12345@

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.normagroup.com.tr
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    Kingdom12345@

Targets

    • Target

      f34c081e10503e1930c7a24c39e144c78bf59c22e6741e9c991334ca78fd34c7.exe

    • Size

      682KB

    • MD5

      935e5811eb02289f3fa02f46b6642f52

    • SHA1

      9cd13ee6a79720b8ce134c73d14531a925243a43

    • SHA256

      f34c081e10503e1930c7a24c39e144c78bf59c22e6741e9c991334ca78fd34c7

    • SHA512

      c9de3edb651dd149bb08df00c8f64f5025b0605cdc6c6bc99e3647b636f3ea19b9a11613e5e57506ad1e013201f3ebd0425819f6350bf7e753406d8bc0568e7d

    • SSDEEP

      12288:TN3gC74CMwbtve4PamkHhrIF52iyEO4SKvAGHYWfs11qBGviKmmZgDgNjIN:TN3FFCDhkFAuOBK54WUrWeiKRgDgpIN

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

4
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks