Overview

overview

10

Static

static

3

DAMAGE CARGO.exe

windows7-x64

10

DAMAGE CARGO.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    DAMAGE CARGO.7z

  • Size

    301KB

  • Sample

    240523-thc6pagf63

  • MD5

    82c172b8b01a656140709919aa699d91

  • SHA1

    81e4611cde12f02648004c2063ed32fc14e27ebb

  • SHA256

    3ba2d8ddb27f996939d08f47da5e2837778b77c015c288dde593cfc2df3a4be5

  • SHA512

    87a35cd19b4819ee8d4ebc4d2f9cc26506502ff3e30afa1ec36cd509a0546b272268dff68bc7a6181771b3402b31ac78f2e0970b42f4d3c716782afea6e756ca

  • SSDEEP

    6144:VERva6GZBtXZ7L5wAzT1GlwpbPtK/JBoxqerNvkzegl1ZeUz3ses:VnBZ7qAzTQwnoBoxqe5vS7l1Zf3ps

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.iaa-airferight.com
  • Port:
    587
  • Username:
    web@iaa-airferight.com
  • Password:
    webmaster
  • Email To:
    mail@iaa-airferight.com

Targets

    • Target

      DAMAGE CARGO.exe

    • Size

      498KB

    • MD5

      f53753567d26f08858674d27c2222e8d

    • SHA1

      06f8efd5a96b625d8966df80ee3b8f76fb3d4b0e

    • SHA256

      5eecdaf0426291c6db36cc79cba590e61248a5364197d82228da2074a7fa3bba

    • SHA512

      900b1d005e1c5ad4ad9980af5ec495c009e2a32200fd0190e56746796acac4e68f66d55a030395c938b387eaee9c34a490194ae6bc2bca4e1e4b265a46192bb2

    • SSDEEP

      12288:imo2oiXB/6DuKf8I6niPW/Q5f7rzYP7r9r/+pppppppppppppppppppppppppppv:73XlnKf8Uayo1q

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

4
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks