Overview

overview

10

Static

static

5

50c24050cc...5c.exe

windows7-x64

10

50c24050cc...5c.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    50c24050cc83700989bbb281afd290df47f864702e0a957f1db1800a2c34b25c.exe

  • Size

    1.1MB

  • Sample

    240510-bqxk7adg46

  • MD5

    b769c82e7f0aeb48129c514b6ee3eefc

  • SHA1

    19bd8f4cbd6422003331d9d2de11e3a7f973b0a3

  • SHA256

    50c24050cc83700989bbb281afd290df47f864702e0a957f1db1800a2c34b25c

  • SHA512

    97e5b8baf06b6f210cd8e9e8388963ea77b145b0192cb8af8ae7d5b088f0bdba7cedcd5100bdff61d64cb0a85bfbd69115a15e50ce4d0b7c4c43b8586098033d

  • SSDEEP

    24576:tqDEvCTbMWu7rQYlBQcBiT6rprG8aGKSeHIqatQGNQp:tTvC/MTQYxsWR7aGKSeumGy

Score
10/10
agentteslazgratkeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.deeptrans.com.tr
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    59ace821A

Targets

    • Target

      50c24050cc83700989bbb281afd290df47f864702e0a957f1db1800a2c34b25c.exe

    • Size

      1.1MB

    • MD5

      b769c82e7f0aeb48129c514b6ee3eefc

    • SHA1

      19bd8f4cbd6422003331d9d2de11e3a7f973b0a3

    • SHA256

      50c24050cc83700989bbb281afd290df47f864702e0a957f1db1800a2c34b25c

    • SHA512

      97e5b8baf06b6f210cd8e9e8388963ea77b145b0192cb8af8ae7d5b088f0bdba7cedcd5100bdff61d64cb0a85bfbd69115a15e50ce4d0b7c4c43b8586098033d

    • SSDEEP

      24576:tqDEvCTbMWu7rQYlBQcBiT6rprG8aGKSeHIqatQGNQp:tTvC/MTQYxsWR7aGKSeumGy

    Score
    10/10
    agentteslazgratkeyloggerpersistenceratspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks