Overview

overview

10

Static

static

3

Request_fo...43.exe

windows7-x64

3

Request_fo...43.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f9683997b1733f292b8b22f8a94a315d_JaffaCakes118

  • Size

    878KB

  • Sample

    240419-d3547sge5w

  • MD5

    f9683997b1733f292b8b22f8a94a315d

  • SHA1

    349b1fed7a0cee9f93119fe3f30a73b18589c163

  • SHA256

    df88cb3a8f518f0589f2cd9cc1ed652cad16156932d08bf18a226177654e3cda

  • SHA512

    6b75f125065772ed2867181a60c05d0b1e3ef5eaed9f7f86f42d995f8c35d66b1ebcacf1939d14c3566630741d3db64a7767ab0db31e6b42e51ed2760d6d5aaf

  • SSDEEP

    24576:yNT+SqPYaAb7Gub1+xB/f79wVpoF7O3GGexKP:C6nMZb1+/iVUo

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.mmdqatar.com/
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    Internet@123

Targets

    • Target

      Request_for_quotation_8378473847843.exe

    • Size

      1.2MB

    • MD5

      5a396ea7fb5013dea9e992a610a84e4a

    • SHA1

      533d2d0be556ea0cc3b0cb407cd4f4675c8b2f8c

    • SHA256

      69a494bfd4d95a7dfb43a121db499277a26d9c2c4c4aa3289cda63f88cb51b5e

    • SHA512

      0fa9f43b19cd10d9f921bd5254c5a9aed79a6e8bad419232639459b28e89476ad9a7a234001c4ee7706ea78afeabbb2a6c877cb5ae4ec15fee4bf64e806b41e2

    • SSDEEP

      24576:UJKklIgMsh4C2s0I3OgbilcN3yd2OluON4fA9uC:UBlIgMk4C2EDT3yd2OluON4fA9u

    Score
    10/10
    agentteslacollectionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks