Overview

overview

10

Static

static

3

DATASHEET rfq.exe

windows7-x64

10

DATASHEET rfq.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    DATASHEET rfq.exe

  • Size

    364KB

  • Sample

    240502-gg3zhaad8s

  • MD5

    25727be97a9ff477eaf9f5ede2517d4a

  • SHA1

    66de55b95e1f19b9c626e35126e9c6dbac8680b0

  • SHA256

    037afb04ecb79c472588e6f1b3571abb8903af2fc86f1a8ca2e2acb63c14335b

  • SHA512

    f1ecad4f78ddab2d5dcd0ba863f97b17e68e25f6369b0532cf12353f067beec6e358c9acdf82ed84eb7fba19acc55e7085369082757e8a6a18fa1b15e435015a

  • SSDEEP

    6144:BcQ9zIITdbWCYoZjp2D210jNiIwUv5PGqJe+kmX/SZB3pH2ybSnYOD69Y7Qh:BwCYsjpu210jNnlGqJolIyUYOu9YW

Score
10/10
agentteslaguloaderdownloaderkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      DATASHEET rfq.exe

    • Size

      364KB

    • MD5

      25727be97a9ff477eaf9f5ede2517d4a

    • SHA1

      66de55b95e1f19b9c626e35126e9c6dbac8680b0

    • SHA256

      037afb04ecb79c472588e6f1b3571abb8903af2fc86f1a8ca2e2acb63c14335b

    • SHA512

      f1ecad4f78ddab2d5dcd0ba863f97b17e68e25f6369b0532cf12353f067beec6e358c9acdf82ed84eb7fba19acc55e7085369082757e8a6a18fa1b15e435015a

    • SSDEEP

      6144:BcQ9zIITdbWCYoZjp2D210jNiIwUv5PGqJe+kmX/SZB3pH2ybSnYOD69Y7Qh:BwCYsjpu210jNnlGqJolIyUYOu9YW

    Score
    10/10
    agentteslaguloaderdownloaderkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      6f5257c0b8c0ef4d440f4f4fce85fb1b

    • SHA1

      b6ac111dfb0d1fc75ad09c56bde7830232395785

    • SHA256

      b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1

    • SHA512

      a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8

    • SSDEEP

      96:zPDYcJ+nx4vVp76JX7zBlkCg21Fxz4THxtrqw1at0JgwLEjo+OB3yUVCdl/wNj+y:zPtkuWJX7zB3kGwfy0nyUVsxCjOM61u

    Score
    3/10
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks