Overview

overview

10

Static

static

3

Bank slip.exe

windows7-x64

10

Bank slip.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    dd086621ee97b6f9a98b9b839b10bbb4a281b8e360cb26932de30768b82b23da.zip

  • Size

    623KB

  • Sample

    240424-cdxk4aea95

  • MD5

    c93862066670d022b71313fec54babbb

  • SHA1

    b26b968cbbfb02b749d9dbc48426aca6299e8c1b

  • SHA256

    dd086621ee97b6f9a98b9b839b10bbb4a281b8e360cb26932de30768b82b23da

  • SHA512

    c0ee82c16e3ebb756cf60a1c8c7c9f5864b323707fdf92f69f3215eba8c769b02cbe071a077012363cfb6b97844549ed2704e7a0b89db7b54402cf5808a16f2a

  • SSDEEP

    12288:glVaxCjA/Exn0A7qcSAzgaDlgGb9R5bzOixuebj335sr+e+Syg7bo0wqVpm7g5iH:gqeA/206ysJDl/hR5bCixuebL3brSygO

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.alkuwaiti.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Ele@1804

Targets

    • Target

      Bank slip.exe

    • Size

      643KB

    • MD5

      83d5996cdae805e2caaea0c087163700

    • SHA1

      2b69f4a9e66cb932f695fc0b004c81d34f3684d5

    • SHA256

      ca444d4c1eac0d3464e99f59a3391aa587572814d5fbecfe1d02ac9bf84606e8

    • SHA512

      c879cefa653c5abacaad7cd4ff49a61322b613db888cf21c37f343f2a2f8d31c79e2ee7cc33255eaef3030b63d530fc8deb08c57d1cab16e72206093ff01a9ed

    • SSDEEP

      12288:TSWPxnsANqcSezgcDlgGZ9d5bzNmBorZpOaAXmne+Sdq2A2cWjoI9:fsWyytDl/bd5biorPAWnrSdOrA

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks