Overview

overview

10

Static

static

3

XXuDKFWjapunCiC.exe

windows7-x64

10

XXuDKFWjapunCiC.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c032488eb3bd337fa2c8aa9077b8dd2d2e1a425f1c660027736a0089ae48ff0b

  • Size

    655KB

  • Sample

    240522-bs8q8sgb2t

  • MD5

    2a9a2c1ab1e7af904a936f757e5dece8

  • SHA1

    5cb9a0650bf7ac4dd4f5e313f26513fb7d9680a9

  • SHA256

    c032488eb3bd337fa2c8aa9077b8dd2d2e1a425f1c660027736a0089ae48ff0b

  • SHA512

    df7b90ea33d3792efee40ddd2102a523d8eba6e82bc3241ea6df346d3cd2da9d2f8c8919f21681c243a06b0a97809ffbb5bc91c7045c00bd1da38d558ada2137

  • SSDEEP

    12288:9W/508b6Ue5KzTBxL5dPRubUMSMsS/m8a6TzSzOG8Izb5qJBKXGU0LVdB1sutWV:MO8bX3RufsS/VJ2eIH8OXGU0LV13U

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot7127892531:AAEiHDJV9da3w0nCvFvRsf9JJXqlkX03L5o/

Targets

    • Target

      XXuDKFWjapunCiC.exe

    • Size

      684KB

    • MD5

      8314bf1aabe8685f003af41a3f3d603d

    • SHA1

      c28a27895d8255f6c3bc6421d1bae8e9a3126e24

    • SHA256

      dc15c4392d12acd56140e63f666be57d666ac3dedb7057669b02ca3abd89091e

    • SHA512

      48dc530eb423b940067710d391732155ada45e830fc4878624fb0ed3892cd05572b07bbde8a2e485cb99cefb3d64607dba91ac29191944fcd48ed659aaa98116

    • SSDEEP

      12288:Y6/x504bFe/Kz/BhFRVsR4dWOsSP28aYTNSzOG0IJL5kJBWXuP79aylAO:d/w4bzyR4dLsSPFb2uINaCXuP79dAO

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

4
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks