Overview

overview

10

Static

static

3

factura 7823378.exe

windows7-x64

10

factura 7823378.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    72b85818d7c9eeccc50f4e3ff2eaa911fd755ad73668178a54467c791deddf8d.rar

  • Size

    1.2MB

  • Sample

    240523-b21f8agh8t

  • MD5

    fba84bd4571f4879cd5140a9689cc543

  • SHA1

    8f9b0c629bf90cb8a22b5030d2aed6436c68beb4

  • SHA256

    72b85818d7c9eeccc50f4e3ff2eaa911fd755ad73668178a54467c791deddf8d

  • SHA512

    0a11e9181d84c3eb6a172879194e63f1c15f1c5c8096076e76d969ef0f143c9c47455b20924b28663bd276c3203af56fdafafc1c15ab98b5e850f116cfeb097c

  • SSDEEP

    24576:N7MTa2XEn4n0CqWgL5OMvgeDGph0LWunQJqnINGaQ5+uy+IS57hRwtIdzn:N1W0CqLNOEDGph0yunQJx7uyq5d6Cn

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      factura 7823378.exe

    • Size

      1.3MB

    • MD5

      7741e296fc7876e2cf35e44ba4264f47

    • SHA1

      265bb706ee04a4d3b6f23c87873bc7d5202c0de9

    • SHA256

      938a507f1786d7badcc95dca38a1d9bdb78984b051a68a7fd70a1b872b36a2b2

    • SHA512

      1caa387ded8ec1431cceba2def2abfdf53883fdb2c300d8a64de726f35e0a28f0036c29f0f2d894fcdcff6f6bcb6f827124ca6ca7419fa24d212d84ec5d21ffc

    • SSDEEP

      24576:99Q0lIVTRJRqhx+pF/GMvtfc+DBy/U77VaaG8uosbrDqa1VHWTcSdmWDxbLn/ohK:LQ0lsRzeMp8MtftD4M77YoOrDX1l2xb3

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      b8992e497d57001ddf100f9c397fcef5

    • SHA1

      e26ddf101a2ec5027975d2909306457c6f61cfbd

    • SHA256

      98bcd1dd88642f4dd36a300c76ebb1ddfbbbc5bfc7e3b6d7435dc6d6e030c13b

    • SHA512

      8823b1904dccfaf031068102cb1def7958a057f49ff369f0e061f1b4db2090021aa620bb8442a2a6ac9355bb74ee54371dc2599c20dc723755a46ede81533a3c

    • SSDEEP

      192:PPtkumJX7zB22kGwfy0mtVgkCPOs81un:E702k5qpds8Qn

    Score
    3/10
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks