Overview

overview

10

Static

static

3

49136 E2K ...11.exe

windows7-x64

7

49136 E2K ...11.exe

windows10-2004-x64

10

kigtiqm.exe

windows7-x64

3

kigtiqm.exe

windows10-2004-x64

3

xmnxoix.vbs

windows7-x64

1

xmnxoix.vbs

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8b739e545fc95b979031b1d173680e40804cdfae954553daad04f865571072a5.zip

  • Size

    641KB

  • Sample

    240402-qdyp2sag4z

  • MD5

    5cc96ac6ea3956876de0fdd207e908be

  • SHA1

    c8120b551b7090c0c7cac1b39333d446a6c5f4af

  • SHA256

    8d0fead44f550553c1038fccbee07c91c6cc9eafa5f282819260823e58a69a16

  • SHA512

    ec039ba7f4f639b7939c47083d6378cd529ad6edc4b3eacf1106d7f0201cf0809c24f6add041b9c987d23593ad86ffed055abfb4a83f540baf232c4565d029f9

  • SSDEEP

    12288:2uSDAxcfJ8Zyh4wNGfdAjzoJCiOMx3IUCjOQIcMX:25AxsdhY1Ajy8Mx3IJIZ

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Targets

    • Target

      49136 E2K 610622871149136 E2K 6106228711.exe

    • Size

      804KB

    • MD5

      e8b61b099af93918a7d59477334471e0

    • SHA1

      a2ce7a730e96bf6c8f9cd512993fd67cf0c10767

    • SHA256

      e7456c57dba442a7e63f2bd45ff5be6c8168f2fcfd15c5e405536fb3bb212dcb

    • SHA512

      30b93418d244b71718a7fbf6683c27ac4bc799338f67d915367cb7cb5b93dab661b5b9071f49e055e9701d721ef3e788a0632adc062ecd32d1ffe225712bd855

    • SSDEEP

      12288:IYgBDMwdNEb40oLhLr1+vuYdCllN9cnUstwbvhz58lZNKXGLfR:IYgB7mINL/vbDci1p2d

    Score
    10/10
    persistenceagentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      kigtiqm.exe

    • Size

      872KB

    • MD5

      c56b5f0201a3b3de53e561fe76912bfd

    • SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

    • SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    • SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    • SSDEEP

      12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01

    Score
    3/10
    behavioral3behavioral4

    • Target

      xmnxoix.au3

    • Size

      4KB

    • MD5

      0d013f6baac0a09a1fb8e14217317503

    • SHA1

      453fba3488930e98d075946a31e5455b84eed5ba

    • SHA256

      0a78523b6163a8372ba64e5cc275d68f6582b7ca3a93e3163ad96251cc788d83

    • SHA512

      05032c4bbdc56992768a87ebaa9a9f43cb9092df401bb61a20673c1bec3a1f3fe4ee7c55c0572ceac9d862538ac765d0e0577cb63424c5edf137f7948feb8ced

    • SSDEEP

      96:8Qj+oh+0ddn/qEMA98SM/26Ai9qFnOnYPUub2:l+oh+0ddn/KA98//26Ao0Oyry

    Score
    1/10
    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks