Overview

overview

10

Static

static

3

0438b9fd84...17.exe

windows7-x64

10

0438b9fd84...17.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b30d3ec99edbf715c40688d1c74ea4b6.zip

  • Size

    442KB

  • Sample

    240901-3nhg2avflm

  • MD5

    adab6a67548ae583aadd6a6da937902d

  • SHA1

    32518ad4ae4985c77316106f815dce0396213420

  • SHA256

    9ee9e268ed3675aec15103ee42b8888a2524ca681071439675817e223761845e

  • SHA512

    356a795e471cbee14cf04ba8d8eca0b24e295b67f0841cb436612e2d53f549ab3d111450a733ace1f76886f4e81c09572fb3905cf44cb204332eb0c34c0b9013

  • SSDEEP

    12288:u+HJh5sqoku8rTWHHBTHaOasdOz31HXHl6D904QJwRWf5Qfd:F5q8rTitL+3Hl66pJwkf5Ql

Score
10/10
agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    C%)%GWZe9

Targets

    • Target

      0438b9fd849f4116d4c8d21fcebf1eebc23d7e92553ef1c2d8bf3ab7846efb17

    • Size

      530KB

    • MD5

      b30d3ec99edbf715c40688d1c74ea4b6

    • SHA1

      88ba4406b6e93154ded0c6f6c684177c75eface5

    • SHA256

      0438b9fd849f4116d4c8d21fcebf1eebc23d7e92553ef1c2d8bf3ab7846efb17

    • SHA512

      686b155b4a0788a4351d0a1297847431cc41049c8cf6705afdd2803e565faca6ba4f30104c8d57036d12e9775c85781a41ad9cf2336f9099849a9deb7f7b7936

    • SSDEEP

      12288:30lXKEVPcGlla0Yi7ukUSh4to2+RYs++5QO0Z3G+6Y:30l6ETlJ5ukv4tl+RYs75zU6

    Score
    10/10
    agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks