Overview

overview

10

Static

static

3

NEG-S16-20.xslx.scr

windows7-x64

10

NEG-S16-20.xslx.scr

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    NEG-S16-20.xslx.lzh

  • Size

    626KB

  • Sample

    240523-dmvnjabh54

  • MD5

    4f2003d9dedabb95895f06e41f1f139d

  • SHA1

    ea54020f029142273eefefff06c952155cd51403

  • SHA256

    416157183d15aabc842eaa886a699f35bf9522296a0bdf7912e0f2bb44447c8c

  • SHA512

    8a55edc5f854b991d3068ff65df65495159a01b2a35431b5a24c65a4bafa012397a17bfa3568b57d284bdc9b53b23166f39160951f9157564d930efa6dda609f

  • SSDEEP

    12288:TQPXzTuNcSifbRJN/gXPZKfpi0So4LDaumh1FECZhNUFAf2sEN3wM62ZuT0nl:2eNs71UPArp4Xmh1FECiihEN3Pugl

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://beirutrest.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    9yXQ39wz(uL+

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    beirutrest.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    9yXQ39wz(uL+

Targets

    • Target

      NEG-S16-20.xslx.scr

    • Size

      886KB

    • MD5

      deffa6528aa8ecf6e6f581ee41953497

    • SHA1

      acabd0b4f33c676e5152dacd0797a06c23bb98a4

    • SHA256

      bf5514d335e4930fc83a96c80379f37a04c3d7db5ce541de244f0a6dc0116a29

    • SHA512

      182b82c793b55b8737edd81a66f854b965d116e964c62de5b0b3b594774037aa99f8a21adc42cb1ff63e157c5a7bc44b799b28425acba63d7ff3454ac8546b3b

    • SSDEEP

      12288:/8vNAZt4fQ+foATEJyFkUtbrAllCHEhEFcu2WAPy:/8lkt4fzfhtkNfCoEuu2z

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

4
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks