Overview

overview

10

Static

static

1

41aeef7e77...1b.exe

windows7-x64

10

41aeef7e77...1b.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    577e97c9cecbc96950263523a1df396d5c30849211fbb30da3bf81ffd4faa610

  • Size

    696KB

  • Sample

    240417-rkzflabd82

  • MD5

    4f2dc3f1b22dcd2fb2fb108fee13f818

  • SHA1

    7d30b49518626491b3136db0ab00a992f2fd29ab

  • SHA256

    577e97c9cecbc96950263523a1df396d5c30849211fbb30da3bf81ffd4faa610

  • SHA512

    8c000f001b5c5d0219321b0d5912711e2ccdc49250ae847c0c5be17b2d226cf46ba00a4a558c5a6aacfe5dfd53490aaeb9b980622a481233983450d9c303a8e5

  • SSDEEP

    12288:QGwJjz9N+NS4sD+Sn5L4Nfhzabmx+ASMPwG52YsbQbwMIfBSI4tZHlZ7QKH9Kbkj:QvJfT/5L4phAuS9GqzMIfBSIcVlZQKHH

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.bulletproofprotections.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    pay2024password$$

Targets

    • Target

      41aeef7e77c0898fa3183101a024b865a1f7df23834ea4adff7c52b8c669391b.exe

    • Size

      840KB

    • MD5

      a2af0f9d724f45de43806ec7609a3b36

    • SHA1

      a113d233470d82fbb4b62e08bbb6aa7152402769

    • SHA256

      41aeef7e77c0898fa3183101a024b865a1f7df23834ea4adff7c52b8c669391b

    • SHA512

      761a27dc217fdc0d09298a643c32653cd19e2046fac07a1691b2f495b4912201eb018c5fff0dc37c493282f99789ac1decff970059481d6367999bd279bdc257

    • SSDEEP

      24576:qdRQWBOnD/H5vKpc9QdI9FxM2flLBUj+R:qdCWEnD/5vKG9QEFpflL9R

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks