Overview

overview

10

Static

static

3

Proforma,jpg.exe

windows7-x64

10

Proforma,jpg.exe

windows10-2004-x64

7

$PLUGINSDI...hv.dll

windows7-x64

10

$PLUGINSDI...hv.dll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    39eb968b541017d0ab42ea9372e75b60_JaffaCakes118

  • Size

    1.6MB

  • Sample

    240330-l6fygsda8s

  • MD5

    39eb968b541017d0ab42ea9372e75b60

  • SHA1

    0ac981104b02dac4ab542b0be006ce3c34b4539a

  • SHA256

    e4800fae7f1cd28309b163771c9016db5410d49194a5f5adc3318000563db2e6

  • SHA512

    868c39aa38eb6b8f402bf232dee02a9025b4b0f786ec95171cf6c2fe272df2bfbe6384ef8cb822ec4c64f857639f9235b11a8d1fc3cb0e004a64804e8f777e9b

  • SSDEEP

    6144:YQkBclMtJu1Zhj+efTXJ5gH6HFVg2F+ef5obYllYSdjM7YhJ8vkeJrDPNCGSH+:7ktJMffj/HlLF+q2Y3/djQYhJ8sW4o

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Targets

    • Target

      Proforma,jpg.exe

    • Size

      305KB

    • MD5

      8ee039098b76daabd526bde87ca0a851

    • SHA1

      072dce9501058dce29e7d737b8e6789afe9edbf5

    • SHA256

      9ffaac05d6fa9eaaafbeefc070c2d520e6050add802cf5d44d281d3c40505d5c

    • SHA512

      3ae9a722b2fa53a5d3f4c82e1bc554ad939f8d23972642b36f5212779d49a8bd242a15604a13f0f9dfa280524793674692214d67595cc01927f682b313328b78

    • SSDEEP

      6144:F8LxBsySugYtXL32VEcFaqilZHWS1OUM1GS27/H7FPG2HNHhB:/PVYL5lZHxuAS2bH0GVj

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla payload

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/ivhbtroxhv.dll

    • Size

      22KB

    • MD5

      a194ad7a3fe74fb6a1749a0d72bdaa79

    • SHA1

      6718940dff7d9c85fa050d675e5fe7f3de78d29e

    • SHA256

      37d8436aa414c5df4340f06fdeac9bb1ba1ec2a8a48918d6d96948e9ba1d862d

    • SHA512

      109ddbb133b7c7fd08bc2c5ac794c10256b5b3030a9ce4c9fe6029e92d94959be05730e3fe039627a0eed6063a18ff5d863bc30e83cb5d8f5146820b7729b68f

    • SSDEEP

      384:DnMulcYTEIkzLuFdb0S3pSI+NrwjXMr3OT/X:DMu+YwIkzLuFd4khyU4eT/

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla payload

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks