Overview

overview

10

Static

static

3

Commercial...20.exe

windows7-x64

10

Commercial...20.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    674988eb9c49aaca9c7b36eabd6203bb_JaffaCakes118

  • Size

    325KB

  • Sample

    240522-ptmgaabg7z

  • MD5

    674988eb9c49aaca9c7b36eabd6203bb

  • SHA1

    ae9cb9925bf2ba790810933e51edfb607edcdadd

  • SHA256

    ea048a5efa33488ae01d42eaf70a02ff13f18353fd90cf37c1f741126c4bf7e9

  • SHA512

    2759432a16ccdad38bb3f2a0776ce058a4f3c1ed0c7c08e6a405e5ac8b78fa0cdf8fbad699d77ddf4c8cdb436788e3196aea6a90e7ca56f6f19f399f05ea8f96

  • SSDEEP

    6144:dcldfS9QnPsRLo4eKZ1LHjumwUa5tQ//QJz4t8s5Bz2XWw2+ZyN3Ij1q:dcldK9QkRLo4e69wUnEst3Bz2mhCyNYg

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.fcc.com.sa
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    In123123

Targets

    • Target

      Commercial InvoiceContract#08BR19-20.exe

    • Size

      346KB

    • MD5

      1015b6ac7933ac770c115db33f6a5b5b

    • SHA1

      0e7f032f39d5e50e0303cf51b65d593275e0a6a0

    • SHA256

      6188651c5b4b883766439245dbe8b6b5575f8dc4f861eec3a3238d0ee7093f48

    • SHA512

      041602df2a0e2f2b9dac4d34e4674403be2594aa4400051cdc2c0445912270b4d2fe1fbc4df8c12c3876b13acf6a03fba35a905ec9bc74c755766aa2a87b0f84

    • SSDEEP

      6144:7E9//cB1JOTZBy9NvXkgHtoHqUUZ2Nd9avqa5FsPZc4h29MpzMr8w7xgFEycmC:71B10TANcgNyqKDpa5FOO4g9MWrf7xgI

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla payload

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks