Overview

overview

10

Static

static

3

Shipping D...sx.exe

windows7-x64

10

Shipping D...sx.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    6fcadc34eeda4afac077489aeb90d0dd0ea91ad5b0d74778f74e7a2270b9de3a

  • Size

    266KB

  • Sample

    240531-beyzwaab54

  • MD5

    36be0624bad180f1173339fb2d5b029e

  • SHA1

    0b0f737e9b9f449f96ef993cb938a1859a05b873

  • SHA256

    6fcadc34eeda4afac077489aeb90d0dd0ea91ad5b0d74778f74e7a2270b9de3a

  • SHA512

    5497dbbb3b603be2ce838a91527dfd01e1a21cb94e6750dba592eb4fcc68e18bf9eb25dab6610c5b5bc2c912edef977e2924584d56d2b0f04169485d3f55057f

  • SSDEEP

    6144:2zqKLhdo2kNzd13taN4ae5k3GIQyzyf2ht0JefMboB+KE:3sXhslk3GIQyzmktrfnB+KE

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://s4.serv00.com
  • Port:
    21
  • Username:
    f2241_dol
  • Password:
    Doll900#@

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    s4.serv00.com
  • Port:
    21
  • Username:
    f2241_dol
  • Password:
    Doll900#@

Targets

    • Target

      Shipping Documents PO33877/Shipping Documents PO33877.xlsx.exe

    • Size

      381KB

    • MD5

      77179b37f2fcdec43f42095566b6d6e3

    • SHA1

      9a0afd1631fdb273b816def1e633759b8330c564

    • SHA256

      8fb3bcbd5a38e14e633e862de16454b268d51cebeb3d3ce1dda15bda79bb4873

    • SHA512

      fbd023ee39739bbdbeaf7a1d6037c3345224f30621aa60db6216179b4900a3f8d46e0e484ee5b432d5d1119d2f177690b180d8c7f09bc64ee2bb85e4f7ec8e8f

    • SSDEEP

      6144:oULmwjsj1ZkYbRxILAymqpVJyZpkh5JNRds9jdx/ZKU/OH6HVZpvCV:oUqB1ZnRxe1hYp65ZdUjmmIV

    Score
    10/10
    agentteslakeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks