Overview

overview

10

Static

static

3

Zhejiang B...on.exe

windows7-x64

10

Zhejiang B...on.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    06db25ad1634c83b76ad41a91cc23deb_JaffaCakes118

  • Size

    466KB

  • Sample

    240429-fg5yesbc3v

  • MD5

    06db25ad1634c83b76ad41a91cc23deb

  • SHA1

    5e22505001726247d9ec467261af182985c486d0

  • SHA256

    959b6ea6911bdd717e0675b34721eb87fa9b8cbab3dfd785b2dbb292d5cd1eb5

  • SHA512

    bfdf71f28a6b3e30625962c1d50028a2ad8955bb52a5834e9804ffbeca89a1b85fcb9399a1327f2ff0ec5dda8b51a2e8bd69dbc360817362e12cd1b0e7684ec4

  • SSDEEP

    12288:q0dAefkskcSMw1THdXXJkPT2O43IiFA54r3F:qsAefxJdUDFZsT2LHFAKrV

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojanupx

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    HEoxefZ9

Targets

    • Target

      Zhejiang Beifeng quotation.exe

    • Size

      750KB

    • MD5

      ccb26b0248d76e4861c4ab3c7d4dbf2b

    • SHA1

      d82bf2747f14a9bd14ff13f22ce1b558d6b8a495

    • SHA256

      e7cb1048d6ed1b7ce7cf749aa86a335d0a5ac62a6912bdcffe6fc90ad6898f09

    • SHA512

      b90237a8bca255eab4b7929f0ccb078830d1041a3064364509e2941f0bf535ea011b2bff227d7a4ba92c131e2ab6f98f51b18bf26dd669910a018e6b24913f95

    • SSDEEP

      12288:mzvyFcE4IMkvtlLnUHRyC0ZQXO7dEkPopRfx9aUdh0DLyNP+H0V9un:MGcUvtGoC02Ohz45ra403+KK9+

    Score
    10/10
    agentteslacollectionkeyloggerpersistencespywarestealertrojanupx

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla payload

    • Drops startup file

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks