Overview

overview

10

Static

static

3

0a311b59ee...18.exe

windows7-x64

10

0a311b59ee...18.exe

windows10-2004-x64

10

$PLUGINSDIR/czqp.dll

windows7-x64

3

$PLUGINSDIR/czqp.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0a311b59eeabc0a3504ba54bb1fd8a62_JaffaCakes118

  • Size

    341KB

  • Sample

    240328-tp48raae2t

  • MD5

    0a311b59eeabc0a3504ba54bb1fd8a62

  • SHA1

    82b2e5f18c5ff7af38d4ae28d7ff6b8b39767390

  • SHA256

    df5039197d98afa27ede1f1a8de46052de7ae716fd87d68b949b87649014b366

  • SHA512

    07575a8cbae1ce9cb6d41c30663cada9394c1ad57fb662544f7196ccec727c7c3b30761ae27c030cf7c8490e50e53cc65e122023a21cb8e701e72083052307dd

  • SSDEEP

    6144:GBlL/VGeKGDuGyGNQZLRQdsbZOwXP7YWx8O/6Rvh4K90iPxmJj36Xsw5r:EmBR4uOJWWO/zgxm2s2r

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot1803146213:AAHYyCRx7FggQ9LfPbrIs79ZUWCEc9wNnDo/sendDocument

Targets

    • Target

      0a311b59eeabc0a3504ba54bb1fd8a62_JaffaCakes118

    • Size

      341KB

    • MD5

      0a311b59eeabc0a3504ba54bb1fd8a62

    • SHA1

      82b2e5f18c5ff7af38d4ae28d7ff6b8b39767390

    • SHA256

      df5039197d98afa27ede1f1a8de46052de7ae716fd87d68b949b87649014b366

    • SHA512

      07575a8cbae1ce9cb6d41c30663cada9394c1ad57fb662544f7196ccec727c7c3b30761ae27c030cf7c8490e50e53cc65e122023a21cb8e701e72083052307dd

    • SSDEEP

      6144:GBlL/VGeKGDuGyGNQZLRQdsbZOwXP7YWx8O/6Rvh4K90iPxmJj36Xsw5r:EmBR4uOJWWO/zgxm2s2r

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla payload

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/czqp.dll

    • Size

      24KB

    • MD5

      d4e1b723e7687c5c404bc81cfce6a5ec

    • SHA1

      dd6d741f860eb6ee59aab7455d895c2e0f394a55

    • SHA256

      ae58d3fdef96fa5a1525a7ced314231b4883ed796fe8a42958d5bf24b21fa64d

    • SHA512

      359c32988a018748b157fa93f38c6ef92b28508cbf86ca129218848679b009fa630d31198ce85d9c31e8815c24aeb8be428c1e882cf67936df8a85bd542d8a3c

    • SSDEEP

      384:7reSw0JDTRCNzQL+LWJYjnZjHGTjA4CbuP9Wuud9QQh8xf6LPvtTbMqg:DwwRCBnWJIntmTKBuaQFOPFTbM

    Score
    3/10
    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks