Overview

overview

10

Static

static

3

0e50297d00...32.exe

windows7-x64

3

0e50297d00...32.exe

windows10-2004-x64

10

Resubmissions

01-09-2024 20:54

240901-zp5gea1err 10

01-09-2024 20:38

240901-ze1qga1gqe 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7cd05e908fb2ee5d33ae33b34956ed85444eac00067b03ea57d24c87823b30e0

  • Size

    361KB

  • Sample

    240901-zp5gea1err

  • MD5

    24771b8b889ddef5f8855bd7ecfff0fc

  • SHA1

    85ccc9352201d8c4717ef459fa4eed77f62e085c

  • SHA256

    7cd05e908fb2ee5d33ae33b34956ed85444eac00067b03ea57d24c87823b30e0

  • SHA512

    51ec1440aef35b6f777d0ebcebde30da30eb8c610cc1f44979a43e36bdaa96ace701a6f1c0da463696f48ab664ed16bbb8f3de34f5266f1955260e70988937ae

  • SSDEEP

    6144:swTBtHf2lBt4Ts3wxY2C9xIn4bAnON68q6cLK2H9bFTkIzto1HqPS4YX6xui:fTr/KBt4TdxYX9un4bAnON68qBK2dbpf

Score
10/10
agentteslacollectioncredential_accessdiscoverykeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.lko-import.de
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    TVMHSiW5

Targets

    • Target

      0e50297d00725ac44669baf5af6d6edefb0e5685e8062c9e383f46bc6f0a7132

    • Size

      418KB

    • MD5

      d65cdc267052f517ae8e2c03f1031977

    • SHA1

      6d6867fd6cf311f08a4955569e6c812edb4e9ad2

    • SHA256

      0e50297d00725ac44669baf5af6d6edefb0e5685e8062c9e383f46bc6f0a7132

    • SHA512

      5bf19a632e0944fe3732ffd7c90fd1d201b2c96eed8839e653552e0d50c59c18965b6fac3c7447f08d3c64cbdc278b510860d333cf2b1fe66bf8c0cbf04af667

    • SSDEEP

      6144:I6B9nFw8IzrHqB7pRDT5KbepqrFNeUYEknDh2Hd/6stZiUaYN:I0JFxIzrKtvMLLeFE0sHd/6mbN

    Score
    10/10
    discoveryagentteslacollectioncredential_accesskeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks