Overview

overview

10

Static

static

3

49136 E2K ...11.exe

windows7-x64

49136 E2K ...11.exe

windows10-2004-x64

10

kigtiqm.exe

windows7-x64

3

kigtiqm.exe

windows10-2004-x64

3

xmnxoix.vbs

windows7-x64

1

xmnxoix.vbs

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8b739e545fc95b979031b1d173680e40804cdfae954553daad04f865571072a5.zip

  • Size

    641KB

  • Sample

    240402-l4rl7sed94

  • MD5

    2d8c8b20bf01b73d22e9f6e836b75f61

  • SHA1

    a86e6257bb833cea41b1b9ac8aa04acd0b19af03

  • SHA256

    397097f670b45e9e4cafbf621ed6345ca96a115f6347ff84a4874822dcc5390f

  • SHA512

    d67a81b71c2ed231d9cc4d74761a57d1bdbbbd92d0dbf1dcc2c62266a571a4e4fb45bb8abece0c4d89a3ff9b6a869fa3ed271d90f71fd8894ae8a57091006976

  • SSDEEP

    12288:kF4rWAJC0C8ReT9UPaTB76JpvgVLkl+R1JmyMAdAupT5zO2QZS5yeuku83MuIgo:knAJFfeyaTcf4lrJDmcT5z2Y5yHkuwM9

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Targets

    • Target

      49136 E2K 610622871149136 E2K 6106228711.exe

    • Size

      804KB

    • MD5

      e8b61b099af93918a7d59477334471e0

    • SHA1

      a2ce7a730e96bf6c8f9cd512993fd67cf0c10767

    • SHA256

      e7456c57dba442a7e63f2bd45ff5be6c8168f2fcfd15c5e405536fb3bb212dcb

    • SHA512

      30b93418d244b71718a7fbf6683c27ac4bc799338f67d915367cb7cb5b93dab661b5b9071f49e055e9701d721ef3e788a0632adc062ecd32d1ffe225712bd855

    • SSDEEP

      12288:IYgBDMwdNEb40oLhLr1+vuYdCllN9cnUstwbvhz58lZNKXGLfR:IYgB7mINL/vbDci1p2d

    Score
    10/10
    agentteslacollectionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Executes dropped EXE

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      kigtiqm.exe

    • Size

      872KB

    • MD5

      c56b5f0201a3b3de53e561fe76912bfd

    • SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

    • SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    • SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    • SSDEEP

      12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01

    Score
    3/10
    behavioral3behavioral4

    • Target

      xmnxoix.au3

    • Size

      4KB

    • MD5

      0d013f6baac0a09a1fb8e14217317503

    • SHA1

      453fba3488930e98d075946a31e5455b84eed5ba

    • SHA256

      0a78523b6163a8372ba64e5cc275d68f6582b7ca3a93e3163ad96251cc788d83

    • SHA512

      05032c4bbdc56992768a87ebaa9a9f43cb9092df401bb61a20673c1bec3a1f3fe4ee7c55c0572ceac9d862538ac765d0e0577cb63424c5edf137f7948feb8ced

    • SSDEEP

      96:8Qj+oh+0ddn/qEMA98SM/26Ai9qFnOnYPUub2:l+oh+0ddn/KA98//26Ao0Oyry

    Score
    1/10
    behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks