Overview

overview

10

Static

static

3

QJAS2024P0...21.exe

windows7-x64

10

QJAS2024P0...21.exe

windows10-2004-x64

10

$PLUGINSDI...ge.dll

windows7-x64

1

$PLUGINSDI...ge.dll

windows10-2004-x64

1

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    21052024_1435_21052024_QJAS2024P01-080 Q20240521.IMG

  • Size

    1.2MB

  • Sample

    240521-ryhp1ahd81

  • MD5

    ee46f4cb0faacef486ba752add49799e

  • SHA1

    2507c14f79b35cfc5d2187a797be8745752dda81

  • SHA256

    0b4a3dd50fed1972cb41fa18b79d8a51ae8b15ae8d31e4facd926a86bfa6926f

  • SHA512

    3f71cceb1be3890800859c99163ca6456cb8c40f5289b2d59c251022922f05d3f495a06f6d2fa0919ddc693f1cf9a1ea79917ce47199944b5666f661bfb622bd

  • SSDEEP

    6144:0DGIRuoQi1NgwFSaUVf9GBVoqzai9ghRTMiZ4rbcev:rItQi1awNUaBVJza2QRQiZW

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.instantprint.ro
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    playmen123#@

Targets

    • Target

      QJAS2024P01-080 Q20240521.bat

    • Size

      365KB

    • MD5

      c384da3e37c99bfc9faebad32ecfb668

    • SHA1

      b852f9fa14ac453cee0d75498254eab0cf6cc35a

    • SHA256

      55ced74de69fdb2659600fae77f6177b2c9d973c0da60060546010e71309d92e

    • SHA512

      f0f3a7f37f21e26e5969fb7e5830e12061cf2659e40a0bc6e8d1d9642de65b6882f24a8ede55afa793fcc8ba741897bfacba0aab3fe0288953e116263d422ec5

    • SSDEEP

      6144:MDGIRuoQi1NgwFSaUVf9GBVoqzai9ghRTMiZ4rbcevR:zItQi1awNUaBVJza2QRQiZWp

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/BgImage.dll

    • Size

      7KB

    • MD5

      143c1b18ccd1ab2ceed02caf0e06ef8a

    • SHA1

      b59d780e0a85f816b41aa657d4a643d77bd20a99

    • SHA256

      8920afae5d9c06f6ba1f254a1e32ac2acfb0fdb11ab2158cfe880a191045e3d7

    • SHA512

      91bd09610679224a7774044b16054721567385d3faa241e72b51f27ef660870f7282e887016df492d5b3ab3b6d9c130e036258c4f27d5ca4cc3a12b76ff71b39

    • SSDEEP

      96:8eS0AKTIfv7QCUsthvNL85s4lk38Eb3CDfvEh8uLzqk5nLiEQjJ3KxkP:t8BfjbUA/85q3wEh8uLmcLpmP

    Score
    1/10
    behavioral3behavioral4

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      b0c77267f13b2f87c084fd86ef51ccfc

    • SHA1

      f7543f9e9b4f04386dfbf33c38cbed1bf205afb3

    • SHA256

      a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77

    • SHA512

      f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e

    • SSDEEP

      192:4PtkiQJr7jHYT87RfwXQ6YSYtOuVDi7IsFW14Ll8CO:H78TQIgGCDp14LGC

    Score
    3/10
    behavioral5behavioral6

    • Target

      $PLUGINSDIR/nsDialogs.dll

    • Size

      9KB

    • MD5

      eac1c3707970fe7c71b2d760c34763fa

    • SHA1

      f275e659ad7798994361f6ccb1481050aba30ff8

    • SHA256

      062c75ad650548750564ffd7aef8cd553773b5c26cae7f25a5749b13165194e3

    • SHA512

      3415bd555cf47407c0ae62be0dbcba7173d2b33a371bf083ce908fc901811adb888b7787d11eb9d99a1a739cbd9d1c66e565db6cd678bdadaf753fbda14ffd09

    • SSDEEP

      96:oXHqZ4zC5RH3cXX1LlYlRowycxM2DjDf3GEst+Nt+jvDYx4AqndYHnxss:oXHq+CP3uKrpyREs06YxcdGn

    Score
    3/10
    behavioral7behavioral8

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

4
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks