Overview

overview

10

Static

static

3

P087465637...DF.exe

windows7-x64

10

P087465637...DF.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    21052024144220052024P0874656378374646PDF.rar

  • Size

    666KB

  • Sample

    240522-yddzmsea77

  • MD5

    7bc3c7ad23a5d8ce1d70dc3d7c370f3c

  • SHA1

    b3361c0fb2f2c78d89a8b2c54cfada1d76be9604

  • SHA256

    00cf9506fb1e393ceffe9d95695b004492a43e45e3837600fdc1db46bd893a86

  • SHA512

    dd6d4537f5ebf8ca17f0e368f18e8eb33549b194921e134ae4281254c09e0284d45f6d3b8b615c1ce902dd76598dfba16a725da4cb9d0735c1e65ae361279192

  • SSDEEP

    12288:V65Bh9rUWnhwPU9McDhcZG3VIk3qKygfFCIvUeGvksABAss:8FNhwP0cWIYog9XvwMLBAT

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.officeemailbackup.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    qdYo!K%U_OS?

Targets

    • Target

      P0874656378374646PDF.exe

    • Size

      737KB

    • MD5

      fdaa19e82536895e7b3644f0a7ab1fe2

    • SHA1

      18d70366e89e3cf44da778c5f7b8a3454ba2072d

    • SHA256

      dbffb95f8e79e14927fb2427491244a7c3c486248eb3aecc053274c2ec8a2204

    • SHA512

      bc5cb6fea8113f52e3a447b9dbaf8ccd4f382aa29eadd93554b4d23b2cc600e32933f41ddcbac04a779647eba9ad2d1a089f231542835f0f079e251f43deff4a

    • SSDEEP

      12288:4kYifTKDseOxaeBVwxSLaMkEQmXOGZc7xig89VqaYLL1BX4Or4BV3rC/1S3XeBpC:CiQstH2fhmdcS9ILFr

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

4
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks