Overview

overview

10

Static

static

3

2cbcfbd1e6...ed.exe

windows7-x64

10

2cbcfbd1e6...ed.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2cbcfbd1e6f6eadb2443afec2d5c07c258d2b30cacb5c493796221cd91319fed.exe

  • Size

    767KB

  • Sample

    240530-ywhesaad48

  • MD5

    05ef4c8c01d1ac5677050f185e7ba624

  • SHA1

    45aea96a93da7d0f845e9913e1423c2b3a9e4487

  • SHA256

    2cbcfbd1e6f6eadb2443afec2d5c07c258d2b30cacb5c493796221cd91319fed

  • SHA512

    add4ec2bc7be955c1a70233e3f5858510ce8a8d062295b6c8942bfffbe4f72296c5749b10f453617fb6b823cd26cc5eb9e3ce59dea421df55f74b4849617e95c

  • SSDEEP

    12288:tCVg8byeA9Mv/S/TXp7ajg+nmHFy9tOMBj1P589O7ZoxhGk5J:MBBA9CGTp762y9tOE1B89O16UG

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    wethem@aklaneah-sa.com
  • Password:
    Password: )NYyffR0
  • Email To:
    wethem@aklaneah-sa.com

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    wethem@aklaneah-sa.com
  • Password:
    Password: )NYyffR0

Targets

    • Target

      2cbcfbd1e6f6eadb2443afec2d5c07c258d2b30cacb5c493796221cd91319fed.exe

    • Size

      767KB

    • MD5

      05ef4c8c01d1ac5677050f185e7ba624

    • SHA1

      45aea96a93da7d0f845e9913e1423c2b3a9e4487

    • SHA256

      2cbcfbd1e6f6eadb2443afec2d5c07c258d2b30cacb5c493796221cd91319fed

    • SHA512

      add4ec2bc7be955c1a70233e3f5858510ce8a8d062295b6c8942bfffbe4f72296c5749b10f453617fb6b823cd26cc5eb9e3ce59dea421df55f74b4849617e95c

    • SSDEEP

      12288:tCVg8byeA9Mv/S/TXp7ajg+nmHFy9tOMBj1P589O7ZoxhGk5J:MBBA9CGTp762y9tOE1B89O16UG

    Score
    10/10
    agentteslakeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.