Overview

overview

10

Static

static

3

Programa d...�n.exe

windows7-x64

10

Programa d...�n.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Programa de Mentoring y Apoyo a la Internacionalización.exe

  • Size

    213KB

  • Sample

    240829-gfqyjswera

  • MD5

    c94a42b8695a8d1be0cd2f74181a5540

  • SHA1

    c5ba25808dc86ed9c97dcc1b9defd9a83ad6b45e

  • SHA256

    22b92fae173e6e53733f1c8eaac661d279551827cb76b1a944b05accde5e0366

  • SHA512

    d1f0859384434fc5242fd5df9744555af7b417a11df0869c3988f21de84211f423a40107c7a38d302a9d01f565206e389e0d7ef475e583dfa37c47b746b79474

  • SSDEEP

    6144:GdnrsfHjPq+mmW8gIq3tHSQLBRG3B5+uh:fbP08gIs9SQFRGRoO

Score
10/10
agentteslacredential_accessdiscoverykeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.chimeneasinmacon.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    m4#Z{iP}xG)b

Targets

    • Target

      Programa de Mentoring y Apoyo a la Internacionalización.exe

    • Size

      213KB

    • MD5

      c94a42b8695a8d1be0cd2f74181a5540

    • SHA1

      c5ba25808dc86ed9c97dcc1b9defd9a83ad6b45e

    • SHA256

      22b92fae173e6e53733f1c8eaac661d279551827cb76b1a944b05accde5e0366

    • SHA512

      d1f0859384434fc5242fd5df9744555af7b417a11df0869c3988f21de84211f423a40107c7a38d302a9d01f565206e389e0d7ef475e583dfa37c47b746b79474

    • SSDEEP

      6144:GdnrsfHjPq+mmW8gIq3tHSQLBRG3B5+uh:fbP08gIs9SQFRGRoO

    Score
    10/10
    agentteslacredential_accessdiscoverykeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      55f18cafe28167995629fdeae4f07bdf

    • SHA1

      a6bd9310f4408c86149993d1e8833d35dd16bb23

    • SHA256

      e32b35cde7c6e2c967445de92884684db7fda506ea52b9aaa74c1a33dd2fdfe6

    • SHA512

      113e7a9e1958bea6a045a7120adf6c667880b9b1d90ff7790e2004f3954f9358a5e44ceb6be0c3b32ff8e6a06878a0f22be7206d0b5a6c5392ca30b8c3bff8ce

    • SSDEEP

      192:sj9rQDenC9VrcK7REgSWOprANupQYLRszDDH/d9CWlXo7U6YV:qJQEaVAK7R9SfpjpQYLRszfH/d9CWB1j

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks