Overview

overview

10

Static

static

3

detalle_tr...DF.exe

windows7-x64

10

detalle_tr...DF.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    detalle_transferencia_2024-05-13T064143.173 0200_3049280002017526_PDF.exe

  • Size

    557KB

  • Sample

    240522-ra3p9sdh4z

  • MD5

    a9c5337e7c384d5156d58d5b8ec7effa

  • SHA1

    34b32c66b09fa6b02c94dae25a6df9f2ea2ba6ef

  • SHA256

    c2865edc8458f593826eb983978f6256230e74610d4947506de9fbce5061cf2a

  • SHA512

    310e347a4791f86228b18d2e696f78fd395df1405bc131b5bd4f8d901489054deb8cb8c2bf732126eccc0fd2e3e06b550408e9e466be422e6e06782bfd5f8b14

  • SSDEEP

    6144:IcBvWsKG0/FpgG+cSjnXDrEGTKqXyqX6Xu7klJyk6XwG+435lRvWtRSNQABuX+rl:xKEGzSjDwI6XDc+Y+trf+rl

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      detalle_transferencia_2024-05-13T064143.173 0200_3049280002017526_PDF.exe

    • Size

      557KB

    • MD5

      a9c5337e7c384d5156d58d5b8ec7effa

    • SHA1

      34b32c66b09fa6b02c94dae25a6df9f2ea2ba6ef

    • SHA256

      c2865edc8458f593826eb983978f6256230e74610d4947506de9fbce5061cf2a

    • SHA512

      310e347a4791f86228b18d2e696f78fd395df1405bc131b5bd4f8d901489054deb8cb8c2bf732126eccc0fd2e3e06b550408e9e466be422e6e06782bfd5f8b14

    • SSDEEP

      6144:IcBvWsKG0/FpgG+cSjnXDrEGTKqXyqX6Xu7klJyk6XwG+435lRvWtRSNQABuX+rl:xKEGzSjDwI6XDc+Y+trf+rl

    Score
    10/10
    agentteslakeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      12b140583e3273ee1f65016becea58c4

    • SHA1

      92df24d11797fefd2e1f8d29be9dfd67c56c1ada

    • SHA256

      014f1dfeb842cf7265a3644bc6903c592abe9049bfc7396829172d3d72c4d042

    • SHA512

      49ffdfa1941361430b6acb3555fd3aa05e4120f28cbdf7ceaa2af5937d0b8cccd84471cf63f06f97cf203b4aa20f226bdad082e9421b8e6b62ab6e1e9fc1e68a

    • SSDEEP

      192:gFiQJ77pJp17C8F1A5xjGNxrgFOgb7lrT/nC93:E7pJp48F2exrg5F/C

    Score
    3/10
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks