Overview

overview

10

Static

static

10

3ed31d62ca...e2.exe

windows7-x64

10

3ed31d62ca...e2.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3ed31d62ca1a55ed5154502486452c6a825eb95a913a2db780fbbd23c6bdf7e2

  • Size

    42KB

  • Sample

    240706-btrt4s1gqp

  • MD5

    bb2fe2fc0e8fbe40ad8255f9b27498d8

  • SHA1

    0b8f441d8a91de1a6ef25531e9b1889d29614095

  • SHA256

    3ed31d62ca1a55ed5154502486452c6a825eb95a913a2db780fbbd23c6bdf7e2

  • SHA512

    39aafbebe264a07565de9fc640cbdd88b483b848187a9b68b75a9798954c89b64359400f691499d8cfa2e2824fe20be833de4f28cdd3611212be8c328f2f646a

  • SSDEEP

    768:DGIMl1ZpVAuwk+0JEmjoLWrU0y1oUz3wERUdocKXU6EXc7ZYLilzqKikl+mr7i0F:DrWZ0u6WK+U0y1v3w1+cqUx66mzqKikP

Score
10/10
agentteslapurecrypterdownloaderkeyloggerloaderpersistencespywarestealertrojan

Malware Config

Extracted

Family

purecrypter

C2

https://erkasera.com/Yaki/Tcdtpyiqmak.wav

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.alternatifplastik.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    Fineboy777@

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.alternatifplastik.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    Fineboy777@

Targets

    • Target

      3ed31d62ca1a55ed5154502486452c6a825eb95a913a2db780fbbd23c6bdf7e2

    • Size

      42KB

    • MD5

      bb2fe2fc0e8fbe40ad8255f9b27498d8

    • SHA1

      0b8f441d8a91de1a6ef25531e9b1889d29614095

    • SHA256

      3ed31d62ca1a55ed5154502486452c6a825eb95a913a2db780fbbd23c6bdf7e2

    • SHA512

      39aafbebe264a07565de9fc640cbdd88b483b848187a9b68b75a9798954c89b64359400f691499d8cfa2e2824fe20be833de4f28cdd3611212be8c328f2f646a

    • SSDEEP

      768:DGIMl1ZpVAuwk+0JEmjoLWrU0y1oUz3wERUdocKXU6EXc7ZYLilzqKikl+mr7i0F:DrWZ0u6WK+U0y1v3w1+cqUx66mzqKikP

    Score
    10/10
    purecrypterdownloaderloaderagentteslakeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • PureCrypter

      PureCrypter is a .NET malware loader first seen in early 2021.

      loaderdownloaderpurecrypter

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks