Overview

overview

10

Static

static

3

dd0a67a62c...50.exe

windows7-x64

10

dd0a67a62c...50.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    dd0a67a62c97ff25c9b2d25c970361795871b655328fccfebd6b9930c8521350.exe

  • Size

    215KB

  • Sample

    240830-cs4b7atgqq

  • MD5

    471aa09c9a4806ff696195626bb09f96

  • SHA1

    85f1ef8ad913adcf93992a35bf521bbe93f1ad23

  • SHA256

    dd0a67a62c97ff25c9b2d25c970361795871b655328fccfebd6b9930c8521350

  • SHA512

    dde8ee9204bc269eb8f3c3b3ec82966780a030943fabfb5ed37abd73c3ac1be1dc9421688433d1fb67c41fa41d1e633722956a267c3a412ff211a079ff5b5d0b

  • SSDEEP

    6144:tdnrsfHjuNPqetfi2BMDtLzwIevcYT/7w:4bOPhZnBMD5sIevzrU

Score
10/10
agentteslaguloadercredential_accessdiscoverydownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.rehavitalis.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    maribel01

Targets

    • Target

      dd0a67a62c97ff25c9b2d25c970361795871b655328fccfebd6b9930c8521350.exe

    • Size

      215KB

    • MD5

      471aa09c9a4806ff696195626bb09f96

    • SHA1

      85f1ef8ad913adcf93992a35bf521bbe93f1ad23

    • SHA256

      dd0a67a62c97ff25c9b2d25c970361795871b655328fccfebd6b9930c8521350

    • SHA512

      dde8ee9204bc269eb8f3c3b3ec82966780a030943fabfb5ed37abd73c3ac1be1dc9421688433d1fb67c41fa41d1e633722956a267c3a412ff211a079ff5b5d0b

    • SSDEEP

      6144:tdnrsfHjuNPqetfi2BMDtLzwIevcYT/7w:4bOPhZnBMD5sIevzrU

    Score
    10/10
    agentteslaguloadercredential_accessdiscoverydownloaderkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      55f18cafe28167995629fdeae4f07bdf

    • SHA1

      a6bd9310f4408c86149993d1e8833d35dd16bb23

    • SHA256

      e32b35cde7c6e2c967445de92884684db7fda506ea52b9aaa74c1a33dd2fdfe6

    • SHA512

      113e7a9e1958bea6a045a7120adf6c667880b9b1d90ff7790e2004f3954f9358a5e44ceb6be0c3b32ff8e6a06878a0f22be7206d0b5a6c5392ca30b8c3bff8ce

    • SSDEEP

      192:sj9rQDenC9VrcK7REgSWOprANupQYLRszDDH/d9CWlXo7U6YV:qJQEaVAK7R9SfpjpQYLRszfH/d9CWB1j

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks