Overview

overview

10

Static

static

5

28d2e9a575...cf.exe

windows7-x64

10

28d2e9a575...cf.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    28d2e9a575bc6c4db94ccd8fc97a03fb0cdd81d35b534ff62839714480a287cf.exe

  • Size

    1.1MB

  • Sample

    240509-bpf7taad3z

  • MD5

    af20c6856fed0486f9f97e4e7efc8b74

  • SHA1

    236b0d66a2e71cd2024e0876ed39a4df5e7b630d

  • SHA256

    28d2e9a575bc6c4db94ccd8fc97a03fb0cdd81d35b534ff62839714480a287cf

  • SHA512

    f49765f2059eef1411ab2629cb5d6c617f3bab23299e043cc8769cb148d26ed3282821a767d64507fb113734bc165ffd78d1c78f71caa6399fe0bcbc6ca7a5c4

  • SSDEEP

    24576:WqDEvCTbMWu7rQYlBQcBiT6rprG8au/4odiwBUgA16Ns:WTvC/MTQYxsWR7au/4odfUgx

Score
10/10
agentteslazgratkeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.deeptrans.com.tr
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    59ace821A

Targets

    • Target

      28d2e9a575bc6c4db94ccd8fc97a03fb0cdd81d35b534ff62839714480a287cf.exe

    • Size

      1.1MB

    • MD5

      af20c6856fed0486f9f97e4e7efc8b74

    • SHA1

      236b0d66a2e71cd2024e0876ed39a4df5e7b630d

    • SHA256

      28d2e9a575bc6c4db94ccd8fc97a03fb0cdd81d35b534ff62839714480a287cf

    • SHA512

      f49765f2059eef1411ab2629cb5d6c617f3bab23299e043cc8769cb148d26ed3282821a767d64507fb113734bc165ffd78d1c78f71caa6399fe0bcbc6ca7a5c4

    • SSDEEP

      24576:WqDEvCTbMWu7rQYlBQcBiT6rprG8au/4odiwBUgA16Ns:WTvC/MTQYxsWR7au/4odfUgx

    Score
    10/10
    agentteslazgratkeyloggerpersistenceratspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks