Overview

overview

10

Static

static

3

pedido 24-...48.exe

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    pedido 24-NARC-00248.7z

  • Size

    653KB

  • Sample

    240427-j6vqjaee88

  • MD5

    a2ff27b0a446bbf042b6cffa936cccfd

  • SHA1

    6ba24b1e91bb9d3a9c42528957d109725778ae2f

  • SHA256

    7548bfdf9300e75edfc670950fed123d6db88853882b125f4b93d7d9dd2be362

  • SHA512

    abe9900b9d74d361364b5e95da9bb3082e7e23268d0cbe32a665a542d85c8866447169757e4f0808ab6a9fad7ae05e7fdb5503970916bd75cba002547fdf6144

  • SSDEEP

    12288:GFYh3fOnRn3HbZe7+A6LnP8W9pZv/25CpLEHdoVcvuH5WK4Sg8vIPOi:GFIvOnF3bZuVQnTX2M6qCo5H4x8vImi

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.indra-precision.co.th
  • Port:
    21
  • Username:
    logsbin@indra-precision.co.th
  • Password:
    UW8f$y[fBOEs

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.indra-precision.co.th
  • Port:
    21
  • Username:
    logsbin@indra-precision.co.th
  • Password:
    UW8f$y[fBOEs

Targets

    • Target

      pedido 24-NARC-00248.exe

    • Size

      675KB

    • MD5

      14e65321e8e87acf51a04209b59d575d

    • SHA1

      5bf2b65f5aa56a16cbe5c6c551ed7a6cabb4f2cb

    • SHA256

      fc87539e22a02272651741ae48f23ce39f83be4f282cf923f22d3aa58500d76b

    • SHA512

      f97125ffd012a7f3647323055dc2ed418f12d09b6d0fd2ac6204b462b9a1fd1c63da523a3510359eef926f4a0f283b23d8c600f1a602c83ef30cca1db806ffed

    • SSDEEP

      12288:3Olv312Z3Rv0n3HbZe7rA6LDP8W9ptv/C5CpOEHdoDcvuHqWKQS38vYZ:3OJ312ZRv23bZucQDfXCMXGCoqHQU8va

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

4
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks