Overview

overview

10

Static

static

3

Pre Alert ...sx.exe

windows7-x64

10

Pre Alert ...sx.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    Pre Alert & Debit Note PO20766.zip

  • Size

    267KB

  • Sample

    240610-f86c9sdd58

  • MD5

    8c937b60f809b625d52623c33f22771f

  • SHA1

    f55c6f51c97d0936e2eed586671616687f73f688

  • SHA256

    c60db852dd9b052c7707d5735a7b8368fe161f68f7ca6b9bfb0e03b14a790c1f

  • SHA512

    1bebe7b846a383d0d226d8cd37806c67ba69340b591ace0e6ba8941419906ef19ffd6c2c13bf792aaf002baf6ceb63005cc89fd2a098bf6c66531d3b07ef1b02

  • SSDEEP

    6144:Nfr83iHBSdGjCMaMO6S/13winkAqoGg3cZlbIxgdL9V80cSmMPp:NwyH5GMaMfSdPkAtGnl9dL9V

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://s4.serv00.com
  • Port:
    21
  • Username:
    f2241_dol
  • Password:
    Doll900#@

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    s4.serv00.com
  • Port:
    21
  • Username:
    f2241_dol
  • Password:
    Doll900#@

Targets

    • Target

      Pre Alert & Debit Note PO20766/Pre Alert & Debit Note PO20766.xlsx.exe

    • Size

      390KB

    • MD5

      9ad1097ef6d23a86d4b9327e54fdc9bc

    • SHA1

      517d09c1d755f08f3c5bf073d87185a801b68907

    • SHA256

      df9e1f7fa8d1badaa7afd42cc3aac4ef5aad3a9973ee71059599325284566e67

    • SHA512

      1ea9293a6931e191b1c63537fc5ea003e8ae98d53242a711769052bf9ba1976def2bb5f7894f85a0da087c0a4354a68474268da77d8438cfbb0a04299df7c955

    • SSDEEP

      6144:nG8/Pl5W2KYbjOrq1NijSchoiEC8IjhJwJpNhCF5qGI3f2nwf0F4eQhrt/bcnAI:n2rgijP7EHEsvNhC7IfBbhrt4T

    Score
    10/10
    agentteslakeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks