Overview

overview

10

Static

static

3

1fbcae8d4a...27.exe

windows7-x64

7

1fbcae8d4a...27.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1fbcae8d4a90832715ff4fff39141aee8afcb2c8a09d7fce0cb2c882c79b4b27.exe

  • Size

    782KB

  • Sample

    240705-tcszystdpd

  • MD5

    a78ead5466dbdfafecbe695eeee1a140

  • SHA1

    29f816a15f65faf9503c240745095b4751376165

  • SHA256

    1fbcae8d4a90832715ff4fff39141aee8afcb2c8a09d7fce0cb2c882c79b4b27

  • SHA512

    02ff7b68e6eaebe9ecce516237e0d626f8dd44f06980da4b818b346072a74212740843d1dd4dd99b465e1b89e2faf0f8cab5c7c8e5ff265efe923ac3cc5ca848

  • SSDEEP

    12288:vavtjS+xIyB6BAwt8pjs0p8vxM/r9RKGqHmIdD+m:ivjxIhrt2Y0GMz9RKHHF9H

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      1fbcae8d4a90832715ff4fff39141aee8afcb2c8a09d7fce0cb2c882c79b4b27.exe

    • Size

      782KB

    • MD5

      a78ead5466dbdfafecbe695eeee1a140

    • SHA1

      29f816a15f65faf9503c240745095b4751376165

    • SHA256

      1fbcae8d4a90832715ff4fff39141aee8afcb2c8a09d7fce0cb2c882c79b4b27

    • SHA512

      02ff7b68e6eaebe9ecce516237e0d626f8dd44f06980da4b818b346072a74212740843d1dd4dd99b465e1b89e2faf0f8cab5c7c8e5ff265efe923ac3cc5ca848

    • SSDEEP

      12288:vavtjS+xIyB6BAwt8pjs0p8vxM/r9RKGqHmIdD+m:ivjxIhrt2Y0GMz9RKHHF9H

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      4d3b19a81bd51f8ce44b93643a4e3a99

    • SHA1

      35f8b00e85577b014080df98bd2c378351d9b3e9

    • SHA256

      fda0018ab182ac6025d2fc9a2efcce3745d1da21ce5141859f8286cf319a52ce

    • SHA512

      b2ba9c961c0e1617f802990587a9000979ab5cc493ae2f8ca852eb43eeaf24916b0b29057dbff7d41a1797dfb2dce3db41990e8639b8f205771dbec3fd80f622

    • SSDEEP

      192:BPtkumJX7zB22kGwfy0mtVgkCPOse1un:u702k5qpdseQn

    Score
    3/10
    behavioral3behavioral4

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      3eb4cd50dcb9f5981f5408578cb7fb70

    • SHA1

      13b38cc104ba6ee22dc4dfa6e480e36587f4bc71

    • SHA256

      1c2f19e57dc72587aa00800a498c5f581b7d6761dc13b24bcf287ea7bd5ca2bf

    • SHA512

      5a0c9d28df7a77e157046dce876282c48f434a441ee34e12b88f55be31be536eff676f580adbe4586da3f1519f94b5793ccbb3068b4b009eee286c0c5135d324

    • SSDEEP

      96:+7GUxNkO6GR0t9GKKr1Zd8NHYVVHp4dEeY3kRnHdMqqyVgNv3e:QXhHR0aTQN4gRHdMqJVgNG

    Score
    3/10
    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks