Overview

overview

10

Static

static

3

PI-D24050183.exe

windows7-x64

10

PI-D24050183.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sasja/Feti...01.cmd

windows7-x64

1

Sasja/Feti...01.cmd

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    30052024_1603_29052024_PI-D24050183.tar.gz

  • Size

    452KB

  • Sample

    240530-thkkrseh76

  • MD5

    ea4f01fdae76462d32da7188d5a837ee

  • SHA1

    e04aaa14c52a1ae8a5b238dfd916ffbc8f4b0dff

  • SHA256

    3e7ecf3b7dd5aaa7d2b5136202181c99be830db6da0ae7e991876ca754cb6b22

  • SHA512

    16bc6aa4f15097dea02f094ae81fee3a392f73de89a2c4136b22364153f8bb2a92f4165fdddf77ed445317391884acdef42e23a2950e2eb6845a2831c4fdfc8d

  • SSDEEP

    12288:c7XnNco/aMIDIQdFQUvEWPxRm4ddptr+0DrmrGK6KzWFPHer:c+A76dFQmPq4HKzWFfer

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://mail.hearing-vision.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    LILKOOLL14!

Targets

    • Target

      PI-D24050183.bat

    • Size

      479KB

    • MD5

      5ddfb68c77dd3a9676d7e33488b2240e

    • SHA1

      6534f207d47254de8e584c3623240682baa718e9

    • SHA256

      68184439ee7b26fb472804dbeb4ec4e99b5b7f6226a529e5524fc0eacbd4208a

    • SHA512

      6a18103ca0cd91634a58f7b6187c04c50258425c6faa9968af0f97af354cf72e455e580255d68aea098b13d8daf9db0f4820a164d607742946f4a5dceefd7c9c

    • SSDEEP

      12288:0vdsolqcQh7iEWt1RU49d9Nr+0vrkMY9e/IXj4:RiQWtU4W9e/A4

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      ee260c45e97b62a5e42f17460d406068

    • SHA1

      df35f6300a03c4d3d3bd69752574426296b78695

    • SHA256

      e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27

    • SHA512

      a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3

    • SSDEEP

      192:eF24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35Ol9Sl:h8QIl975eXqlWBrz7YLOl9

    Score
    3/10
    behavioral3behavioral4

    • Target

      Sasja/Fetishmonger201.cmd

    • Size

      7KB

    • MD5

      bd479c9693d27a0221fb69c185d1a4e0

    • SHA1

      d912cfd5911a8d3124bd79cf8683d551f4afecf9

    • SHA256

      68c19ef915bd4b11fabff6fc3bf4c807f854ec334da854532e72df938c37631f

    • SHA512

      64ca039da364497fe36f24164b677842c89e7c1cec0456e597ef97f419f55e7f80c3f4de6bfae879cb1d1b2002e0dee778f9eabbc4105cf9dc2c392b94ff7665

    • SSDEEP

      96:J2H3JCCNdYERZ3LK1vGc14sJhtg4qeoi95EHSvz4CuQuA5ugHyFcWo+Txt:Ja06dYERAvZ4sJht/EI5qOMQzueMoIt

    Score
    1/10
    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks