Overview

overview

10

Static

static

1

9aa934527a...2b.exe

windows7-x64

10

9aa934527a...2b.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9aa934527a69f4c1fd9b1c6eb79354a301d6c4302686d11c7da666af30e2ca2b

  • Size

    2.4MB

  • Sample

    240509-ccrcpacb3w

  • MD5

    e1a842bd6a292eebe2c2ecf8d5b12379

  • SHA1

    051e48c1d31fd2519be55c2de29e958782987d67

  • SHA256

    9aa934527a69f4c1fd9b1c6eb79354a301d6c4302686d11c7da666af30e2ca2b

  • SHA512

    6a3a7200d1ae783c1abd48ffe68fc25da014ced99c484d72e718a5bfb37fcc940fe44f1633af10225de8c371fd81066aa460002be055e0a53cb66996d40c5833

  • SSDEEP

    49152:Lia97bHJ2cnPlPSaJOZO5GIBdmwni+M5B70IJlKOAgrBJNQA1ba+lviAcZfM:vbHJVnPlxZbbmf+S4yJO0O+lviRZU

Score
10/10
agentteslazgratkeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    66.29.151.236
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    09Xt0hBU4PzO

Targets

    • Target

      9aa934527a69f4c1fd9b1c6eb79354a301d6c4302686d11c7da666af30e2ca2b

    • Size

      2.4MB

    • MD5

      e1a842bd6a292eebe2c2ecf8d5b12379

    • SHA1

      051e48c1d31fd2519be55c2de29e958782987d67

    • SHA256

      9aa934527a69f4c1fd9b1c6eb79354a301d6c4302686d11c7da666af30e2ca2b

    • SHA512

      6a3a7200d1ae783c1abd48ffe68fc25da014ced99c484d72e718a5bfb37fcc940fe44f1633af10225de8c371fd81066aa460002be055e0a53cb66996d40c5833

    • SSDEEP

      49152:Lia97bHJ2cnPlPSaJOZO5GIBdmwni+M5B70IJlKOAgrBJNQA1ba+lviAcZfM:vbHJVnPlxZbbmf+S4yJO0O+lviRZU

    Score
    10/10
    agentteslazgratkeyloggerpersistenceratspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks