Overview

overview

10

Static

static

5

06a3d9d3f6...c8.exe

windows7-x64

10

06a3d9d3f6...c8.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    06a3d9d3f6a3bfa1d129412617aaed1275fe2ed602ae0d199e614bdc50085cc8.exe

  • Size

    1.1MB

  • Sample

    240510-bezleach66

  • MD5

    7ff29697c6340dee69f9028797b75099

  • SHA1

    61dd53508f660a766e1ab154af3769955551c139

  • SHA256

    06a3d9d3f6a3bfa1d129412617aaed1275fe2ed602ae0d199e614bdc50085cc8

  • SHA512

    3b739f2f2871432b2564770a08dd6e44c14b07044144cbf68967a8d29f952cd0cd1b38d5cf4e00b66b5d5d4b46b313d7fbc3a0bda2bfef9f97635b01f5dbdaf7

  • SSDEEP

    24576:MqDEvCTbMWu7rQYlBQcBiT6rprG8aJHr6t8+F9nlc4gqNA:MTvC/MTQYxsWR7aJHr6tJplj

Score
10/10
agentteslazgratkeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.deeptrans.com.tr
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    59ace821A

Targets

    • Target

      06a3d9d3f6a3bfa1d129412617aaed1275fe2ed602ae0d199e614bdc50085cc8.exe

    • Size

      1.1MB

    • MD5

      7ff29697c6340dee69f9028797b75099

    • SHA1

      61dd53508f660a766e1ab154af3769955551c139

    • SHA256

      06a3d9d3f6a3bfa1d129412617aaed1275fe2ed602ae0d199e614bdc50085cc8

    • SHA512

      3b739f2f2871432b2564770a08dd6e44c14b07044144cbf68967a8d29f952cd0cd1b38d5cf4e00b66b5d5d4b46b313d7fbc3a0bda2bfef9f97635b01f5dbdaf7

    • SSDEEP

      24576:MqDEvCTbMWu7rQYlBQcBiT6rprG8aJHr6t8+F9nlc4gqNA:MTvC/MTQYxsWR7aJHr6tJplj

    Score
    10/10
    agentteslazgratkeyloggerpersistenceratspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks