Overview

overview

10

Static

static

3

cfe2721470...ef.exe

windows7-x64

10

cfe2721470...ef.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fdb40fe39d271c947656838f2cde9d7d.bin

  • Size

    637KB

  • Sample

    240831-cfc98szbnd

  • MD5

    828948e66e6914a705909cbd90cb5fb4

  • SHA1

    c9214d26a4497b68b43f5e8c4dfa246bd63253f8

  • SHA256

    2b6edb2e98fc5487b6292edba19906339bc40557027f062bc2f10f26862f05f1

  • SHA512

    e8e0d6da8ee684ee3d43ff5d272b6d503255e6fa198c048ef6b20cdebb5f5dc719fe34734bbefb19961aba8f5112244b4acbd30f06c8906fea77031a279cfbaf

  • SSDEEP

    12288:/dZafsLqjImhETkMgDCBnbMk+vq6h0SbpYq5oj3b6wWKZ/22KP37VZ79anvX:Vs1jImhZMNMvRmz3mMZyjD92v

Score
10/10
agentteslacredential_accessdiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.bahar.co.ke
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    @0792161600

Targets

    • Target

      cfe2721470f3d2165536a03920786dc6ad9a85cb8efd74362be8315ed261cbef.exe

    • Size

      656KB

    • MD5

      fdb40fe39d271c947656838f2cde9d7d

    • SHA1

      3c937a5ac66dc29fe0e3e70fa3eaf75cfc180a2d

    • SHA256

      cfe2721470f3d2165536a03920786dc6ad9a85cb8efd74362be8315ed261cbef

    • SHA512

      e287affe9b05026d61b68198ebe30d94606f9a8c4276b176824262e412eb84151a5b0bee422917a3999185d7714aa06b341d9a59bcc489f8abb91eb6ede100b8

    • SSDEEP

      12288:tVVmj9iYtgaRhSTLo+s7FCiVjouzigHlmBDbajJ8nCl:5TYnhcLo+27ku0+8n

    Score
    10/10
    agentteslacredential_accessdiscoveryexecutionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks