Overview

overview

10

Static

static

3

QUOTATION ...ER.exe

windows7-x64

10

QUOTATION ...ER.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    27e99a83d076d11fb1d1d9900edbad696f2f2a5ba528e1f8c0c1b8aeb112bbdf

  • Size

    469KB

  • Sample

    240831-ghq2bsyejk

  • MD5

    85e04ab8aec97cf4920222ae181ca240

  • SHA1

    8fbd31804c9f22909d4e4601cbac7b3ffb39204f

  • SHA256

    27e99a83d076d11fb1d1d9900edbad696f2f2a5ba528e1f8c0c1b8aeb112bbdf

  • SHA512

    ffaa9bea78714c7f58f8592b70a2a06bc1346e9e7e151542b0f944068700c627ffb45792ece45f8dbf6a9fb6729a7501407704ae9bd2f5a4d3395f8d6624c42b

  • SSDEEP

    12288:3EjGz7cYttEU48uzb6qlh0NA8ZHyvbZVBSngkE:3kAtt4P+/1ubjagkE

Score
10/10
agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.grodno.by
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    9qd8$2NonPD

Targets

    • Target

      QUOTATION FOR NOVERBER .exe

    • Size

      571KB

    • MD5

      e05f2cd84e4e9a44fc5c7367b8b66549

    • SHA1

      c9b3e5401d4dd2cb0177c2724f249f49851e6908

    • SHA256

      25f75aeaa9ff41505c50384218858fcbb23fe4559e82fd6d670ceeaece9684f1

    • SHA512

      9190f2646e63551cebcad40d6e2cbbd4b803ab8cfea510a2f1701b78c7e587b2082689241eea22142cafdabd7771ac339e45b06edd21e04706fbc210107f246a

    • SSDEEP

      12288:Zzos6Ibw8eGYUTRCa5y6jFAh0vL3C0ASmX2R/BtjqJFTP:ZPdbw8eGt/5y6jFAeL3C0hmX2Rptjq

    Score
    10/10
    agenttesladiscoverykeyloggerspywarestealertrojancollectioncredential_access

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks