Overview

overview

10

Static

static

1

ed8389b74d...18.msi

windows7-x64

10

ed8389b74d...18.msi

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ed8389b74d5ccff75005650f80dc04f1_JaffaCakes118

  • Size

    468KB

  • Sample

    240411-qlhzkafd9s

  • MD5

    ed8389b74d5ccff75005650f80dc04f1

  • SHA1

    eff5f9b5c4104386cdd7be9dd0305512826e0264

  • SHA256

    ac0eaf90f2b4109be9c15354e7753f60f74572fe74a90c47718cd2d916af5d5f

  • SHA512

    59debd7f959d0ddb484026600dea03a4d31f7c83ad5f38ad4bd26bf34a39a2b95e63798804c8ec3aeb570b193be106a3e3339532c799173b35506cef70e54ddc

  • SSDEEP

    12288:SE9kWHd5a2WV68P4wpKUrfJL8jj/GaBuoFJnlXfsZaOsA:SE9vdjWV9PdKUrQRBuU9UcA

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    $%$nWr+eH

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    $%$nWr+eH

Targets

    • Target

      ed8389b74d5ccff75005650f80dc04f1_JaffaCakes118

    • Size

      468KB

    • MD5

      ed8389b74d5ccff75005650f80dc04f1

    • SHA1

      eff5f9b5c4104386cdd7be9dd0305512826e0264

    • SHA256

      ac0eaf90f2b4109be9c15354e7753f60f74572fe74a90c47718cd2d916af5d5f

    • SHA512

      59debd7f959d0ddb484026600dea03a4d31f7c83ad5f38ad4bd26bf34a39a2b95e63798804c8ec3aeb570b193be106a3e3339532c799173b35506cef70e54ddc

    • SSDEEP

      12288:SE9kWHd5a2WV68P4wpKUrfJL8jj/GaBuoFJnlXfsZaOsA:SE9vdjWV9PdKUrQRBuU9UcA

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla payload

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks