Overview

overview

10

Static

static

3

e7456c57db...cb.exe

windows7-x64

7

e7456c57db...cb.exe

windows10-2004-x64

10

kigtiqm.exe

windows7-x64

3

kigtiqm.exe

windows10-2004-x64

3

xmnxoix.vbs

windows7-x64

1

xmnxoix.vbs

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e7456c57dba442a7e63f2bd45ff5be6c8168f2fcfd15c5e405536fb3bb212dcb.zip

  • Size

    641KB

  • Sample

    240402-mnat7afb91

  • MD5

    f33e60e40a723ba1c429d895755469dd

  • SHA1

    d8518a5504d2dcc3048af930d36481da537bdc70

  • SHA256

    6bd830dd4c73fbf000b6d07e62751a4c2313b3bba8569b8612d9e390f65161a1

  • SHA512

    1235fca86033c50ed5520b49290d555c28619a7bf64327b795f87c27d972ad9af2093f23d620cacbbb3d66f99469aff0db1c12357b3cc2c4eede2b3b26b7989a

  • SSDEEP

    12288:cHlbsMwUVGgxljLeEAzu3ereg1Ef8Vnh+5cRFhIY6cYphQ6GlWhqViM2E4D:ElbsMFfn2Deg1akh+K3hIYtAhYlpViMU

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Targets

    • Target

      e7456c57dba442a7e63f2bd45ff5be6c8168f2fcfd15c5e405536fb3bb212dcb.exe

    • Size

      804KB

    • MD5

      e8b61b099af93918a7d59477334471e0

    • SHA1

      a2ce7a730e96bf6c8f9cd512993fd67cf0c10767

    • SHA256

      e7456c57dba442a7e63f2bd45ff5be6c8168f2fcfd15c5e405536fb3bb212dcb

    • SHA512

      30b93418d244b71718a7fbf6683c27ac4bc799338f67d915367cb7cb5b93dab661b5b9071f49e055e9701d721ef3e788a0632adc062ecd32d1ffe225712bd855

    • SSDEEP

      12288:IYgBDMwdNEb40oLhLr1+vuYdCllN9cnUstwbvhz58lZNKXGLfR:IYgB7mINL/vbDci1p2d

    Score
    10/10
    persistenceagentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      kigtiqm.exe

    • Size

      872KB

    • MD5

      c56b5f0201a3b3de53e561fe76912bfd

    • SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

    • SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    • SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    • SSDEEP

      12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01

    Score
    3/10
    behavioral3behavioral4

    • Target

      xmnxoix.au3

    • Size

      4KB

    • MD5

      0d013f6baac0a09a1fb8e14217317503

    • SHA1

      453fba3488930e98d075946a31e5455b84eed5ba

    • SHA256

      0a78523b6163a8372ba64e5cc275d68f6582b7ca3a93e3163ad96251cc788d83

    • SHA512

      05032c4bbdc56992768a87ebaa9a9f43cb9092df401bb61a20673c1bec3a1f3fe4ee7c55c0572ceac9d862538ac765d0e0577cb63424c5edf137f7948feb8ced

    • SSDEEP

      96:8Qj+oh+0ddn/qEMA98SM/26Ai9qFnOnYPUub2:l+oh+0ddn/KA98//26Ao0Oyry

    Score
    1/10
    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks