Overview

overview

10

Static

static

3

Freigabeer...ng.exe

windows7-x64

10

Freigabeer...ng.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    29042024_1726_Freigabeerklärung.iso

  • Size

    958KB

  • Sample

    240429-leabmafb46

  • MD5

    98bcba6577a79895e301b6a3d0ca21c4

  • SHA1

    0dc203197a0db73f09e21e7d1b185f4aae51eb61

  • SHA256

    1a59898daf1a8b9e55d205111e98aa4020b9a893c7ba2320dae5788638ed969e

  • SHA512

    19cddca8b39e7c771eeea9d043f915bfaa9b623eb01f0e96018a4ac71d37bf35fb55a961366da75a40e78f00f69e7cc35d5e3790e0ac4f99572482dfe561aa93

  • SSDEEP

    6144:v9X0GEh9EyWfqG2ts8KYV/i43TsgyT4O/f/KNL6Cac1YYwAL01r/x47yXnp1nOAj:Z0VEsvPZG/XU2gYVALy/O7anp1OUX

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      Freigabeerklärung.exe

    • Size

      421KB

    • MD5

      7d862c6c31821657aa0877079a5c4be5

    • SHA1

      2a97fb40ca8824d4e6aa1a581e3f47290490d67c

    • SHA256

      d49345704d39dce3913c9b225eaa3c1fe2345e789835d2a86e80617c123dc186

    • SHA512

      f36c4d703667b2e19fa2d4952eabea31c112977d96e13b61b7a2c95e63b821fa75ef0f32a524c130824481ab9f4319b97e491a87b155e64a9be7130760f76f57

    • SSDEEP

      6144:/9X0GEh9EyWfqG2ts8KYV/i43TsgyT4O/f/KNL6Cac1YYwAL01r/x47yXnp1nOAp:J0VEsvPZG/XU2gYVALy/O7anp1OUXd

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      34442e1e0c2870341df55e1b7b3cccdc

    • SHA1

      99b2fa21aead4b6ccd8ff2f6d3d3453a51d9c70c

    • SHA256

      269d232712c86983336badb40b9e55e80052d8389ed095ebf9214964d43b6bb1

    • SHA512

      4a8c57fb12997438b488b862f3fc9dc0f236e07bb47b2bce6053dcb03ac7ad171842f02ac749f02dda4719c681d186330524cd2953d33cb50854844e74b33d51

    • SSDEEP

      192:jPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4I:u7VpNo8gmOyRsVc4

    Score
    3/10
    behavioral3behavioral4

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      ac0f93b2dec82e9579bff14c8572a6c8

    • SHA1

      6460244317cbb77e342adb3561ec3acb496c84d5

    • SHA256

      3aa8e0abadefea2de58281198acfe48713a1d5b43aea5619f563cea098e9fd34

    • SHA512

      8055a6af150c45547927499f9cbf645d7f39c8e4f9caff4726fd711d2401abca01a79837095e5752b9f57b06446973ea6506796f2223bdb0179243d6e0575bd2

    • SSDEEP

      96:5OBtEB2flLkatAthPZJoi9jpfW/er6cBbcB/NFyVOHd0+u3wEX:5hB2flXAVJtjf6cBbcB/N8Ved0PJ

    Score
    3/10
    behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

4
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks