Overview

overview

10

Static

static

1

Avviso di ...df.bat

windows7-x64

1

Avviso di ...df.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c242446b4e00a26c0c6a4b7a9a47022a636f1f6f83b548d42ac292823521a2c3.img

  • Size

    1.2MB

  • Sample

    240328-c25avaba25

  • MD5

    6a70bc2a5e490e5183d3886094a1b74b

  • SHA1

    2a5fa74088d83697a6b79cfd4955f676d32e4dde

  • SHA256

    c242446b4e00a26c0c6a4b7a9a47022a636f1f6f83b548d42ac292823521a2c3

  • SHA512

    b60d8a0361af991645f4029e504d030058b62122f8ac6c61a0d0399c357cb4192f88c38b86732b281f1b2a6c887eb7f652d12068f865fae621280d69b1e0d916

  • SSDEEP

    3072:aT/IpFBvxdugvwReuVhjNCHhGHkTjV/bnHVeLYvElkMp2GMkCTH3djFoll4MPUQ9:O/APubReSj460jhHkLYvEAP3soMPxoW

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.agagroup.lv
  • Port:
    587
  • Username:
    info@agagroup.lv
  • Password:
    @Aga#Group777!

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.agagroup.lv
  • Port:
    587
  • Username:
    info@agagroup.lv
  • Password:
    @Aga#Group777!
  • Email To:
    remiset@remisat.com.uy

Targets

    • Target

      Avviso di Pagamento_Credit Agricole_Pdf.bat

    • Size

      191KB

    • MD5

      2effd68ca29fb310fbe40749eb566d0e

    • SHA1

      bb23473d4be94830371bd52afe37cb1b59609ed5

    • SHA256

      463b92101e5f2912781dd6eb61374b97f14fb27b6fe05c0ef3fb734d8ef4d4ec

    • SHA512

      994de4787401c0e5ce032be67adb93c5e9aa6aa4c510ab19aa1f41a75808b927428e779f2479542465c738eff5138c94fa3cb71da6835957cfb9531f9afa12c6

    • SSDEEP

      3072:4/IpFBvxdugvwReuVhjNCHhGHkTjV/bnHVeLYvElkMp2GMkCTH3djFoll4MPUQTZ:4/APubReSj460jhHkLYvEAP3soMPxoWV

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Drops startup file

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks