Overview

overview

10

Static

static

3

be65d8544d...18.exe

windows7-x64

10

be65d8544d...18.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    be65d8544d92e75d23d9e02edd74e984_JaffaCakes118

  • Size

    391KB

  • Sample

    240824-mgjhravhra

  • MD5

    be65d8544d92e75d23d9e02edd74e984

  • SHA1

    f38ee74c622a75581311ef0c3f13ed070e43a0b8

  • SHA256

    93df210f7bb07b5e3749e81a876881f8fef44dcb4b10ece991d8d6a0100a0ab7

  • SHA512

    3407b986e44edc80a89db6207bd478b572d4bc38966080a91ab4ccceaa7fe64ad5d7f310e5dbb2fdc63cef999e2344c667f23a3fb0998380496cabc308eabd53

  • SSDEEP

    6144:SfN08v8dLaKmJkgQZcvjJA+PUaeKWqWokNCHuxNpY4B1fsM8d2hj26AE:408UdL0JDQUNUaNczXNpDp8dej26Z

Score
10/10
agentteslacollectioncredential_accessdiscoverykeyloggerrezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    N^ekly*7

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    N^ekly*7

Targets

    • Target

      be65d8544d92e75d23d9e02edd74e984_JaffaCakes118

    • Size

      391KB

    • MD5

      be65d8544d92e75d23d9e02edd74e984

    • SHA1

      f38ee74c622a75581311ef0c3f13ed070e43a0b8

    • SHA256

      93df210f7bb07b5e3749e81a876881f8fef44dcb4b10ece991d8d6a0100a0ab7

    • SHA512

      3407b986e44edc80a89db6207bd478b572d4bc38966080a91ab4ccceaa7fe64ad5d7f310e5dbb2fdc63cef999e2344c667f23a3fb0998380496cabc308eabd53

    • SSDEEP

      6144:SfN08v8dLaKmJkgQZcvjJA+PUaeKWqWokNCHuxNpY4B1fsM8d2hj26AE:408UdL0JDQUNUaNczXNpDp8dej26Z

    Score
    10/10
    agentteslacollectioncredential_accessdiscoverykeyloggerrezer0spywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • AgentTesla payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks