Overview

overview

10

Static

static

1

9a3df156a1...46.exe

windows7-x64

10

9a3df156a1...46.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9a3df156a13ba47cbdea89891641b0fd9bf9a3337034c10a38537dfe573b6046

  • Size

    722KB

  • Sample

    240424-cj6e7aeb3w

  • MD5

    a137190807cc53e311cd9c9517e86631

  • SHA1

    4bce0de9f0dc621a3f8317d271ba0aca034231a5

  • SHA256

    9a3df156a13ba47cbdea89891641b0fd9bf9a3337034c10a38537dfe573b6046

  • SHA512

    363e5ffed8da58069105e6b7cc90598d4ebf865a05f4100514870280c3b7500f9efed2d123f83ea2f1e37e7177c1232e741f6373a1bcba779cb71ea47f24eb3a

  • SSDEEP

    12288:OcK1lNZRA0N0Y/qX4bGkdF8MUiUExDNVIXkYyXHhZON9ojMm8sk4H4444C4kR:cl7N24brnUiUExAXkYy3DOnNm8L4H44C

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.kz.com.eg
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    KzCairo@022

Targets

    • Target

      9a3df156a13ba47cbdea89891641b0fd9bf9a3337034c10a38537dfe573b6046

    • Size

      722KB

    • MD5

      a137190807cc53e311cd9c9517e86631

    • SHA1

      4bce0de9f0dc621a3f8317d271ba0aca034231a5

    • SHA256

      9a3df156a13ba47cbdea89891641b0fd9bf9a3337034c10a38537dfe573b6046

    • SHA512

      363e5ffed8da58069105e6b7cc90598d4ebf865a05f4100514870280c3b7500f9efed2d123f83ea2f1e37e7177c1232e741f6373a1bcba779cb71ea47f24eb3a

    • SSDEEP

      12288:OcK1lNZRA0N0Y/qX4bGkdF8MUiUExDNVIXkYyXHhZON9ojMm8sk4H4444C4kR:cl7N24brnUiUExAXkYy3DOnNm8L4H44C

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks