Overview

overview

10

Static

static

3

eDHL.exe

windows7-x64

7

eDHL.exe

windows10-2004-x64

10

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL Twitter E-mail

General

  • Target

    13082024_1637_12082024_eDHL.img

  • Size

    1.2MB

  • Sample

    240813-t5bldavbjh

  • MD5

    895bec353e354a82fefaf200e0718d20

  • SHA1

    12789faf5de146eb2eafdf3f56358a9a3d4d170d

  • SHA256

    af3930e47f4852850939f278ca97c87680e577430330b5eb4e73230bd0ea83f2

  • SHA512

    8f30cefd84fb873c61bd357b431f7bcf50beaba728ffd284e139762d345145a4d4705e1b54485c5d8fae193597fd29ea729cf8b514ec209c70752e2af9fea105

  • SSDEEP

    12288:WYj/FuFzT5iCzB4S5ZxiKJYq1Z/uvLehePy2nihQDK16:WYyzzq65v1Z2ylQ

Score
10/10
agentteslacredential_accessdiscoverykeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6552656021:AAGTsBqPYFMJgUZIb0oVwYnHmgsfBpPUZcY/

Targets

    • Target

      eDHL.exe

    • Size

      481KB

    • MD5

      821c19c40245ad8efd4764a3e1bbdcca

    • SHA1

      e85db0dac724d34d7e04cb5024c0c4efa9579d3b

    • SHA256

      dee042fe46862472c6f14598b59f4fede00131d598b3d31fdff93b501a229464

    • SHA512

      c89dd98d1141f401e53a4406e70ac58d833d8a7151a9edc00e84b1fc0736dbe9a6c2a11bab1640582f2e92d0ef63a84d413a628351049603ce356b42277c3f96

    • SSDEEP

      12288:bYj/FuFzT5iCzB4S5ZxiKJYq1Z/uvLehePy2nihQDK16G:bYyzzq65v1Z2ylQA

    Score
    10/10
    discoveryagentteslacredential_accesskeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/LangDLL.dll

    • Size

      5KB

    • MD5

      68b287f4067ba013e34a1339afdb1ea8

    • SHA1

      45ad585b3cc8e5a6af7b68f5d8269c97992130b3

    • SHA256

      18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

    • SHA512

      06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

    • SSDEEP

      48:S46+/nTKYKxbWsptIpBtWZ0iV8jAWiAJCvxft2O2B8mFofjLl:zFuPbOBtWZBV8jAWiAJCdv2Cm0L

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      cff85c549d536f651d4fb8387f1976f2

    • SHA1

      d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

    • SHA256

      8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

    • SHA512

      531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

    • SSDEEP

      192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr

    Score
    3/10
    discovery
    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks