Overview

overview

10

Static

static

1

5474194c07...42.exe

windows7-x64

10

5474194c07...42.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b8f041d4d6e2727ebedbc73db180d3043f4dde649cf88303b838252e134c469f

  • Size

    653KB

  • Sample

    240904-r88n6ssdpq

  • MD5

    50f4615fcc45ed39154e1b2688571f6a

  • SHA1

    98a06c62812ae8ff3853814034c8968f7f79adfb

  • SHA256

    b8f041d4d6e2727ebedbc73db180d3043f4dde649cf88303b838252e134c469f

  • SHA512

    7ecfe0097e5c3eed9b5e764c5938080697ebe161e738b2d95f0cf651bce85bc06ebec1a41a20ac668451103a11fc05aa3726813dd9fedf5aea7606fd2cdf8a7d

  • SSDEEP

    12288:NbrlnTG/ioORq/YZ2dqJfpNdKgsrgerYzAL/7bul7oV+DQ8EKnOfQ2iqo2c:hl8ioORo0JxxX49/ScVgEUH22

Score
10/10
agentteslacredential_accessdiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.alitextile.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Myname@321

Targets

    • Target

      5474194c07b4f0b5144069d189cd55adfd2e9e8e89bbbdba6153e173a094ff42.exe

    • Size

      705KB

    • MD5

      8645375a86a6176bd04b81b91f03a1a6

    • SHA1

      5e35f5830e5230e92270e71bdc901ac570cd7c19

    • SHA256

      5474194c07b4f0b5144069d189cd55adfd2e9e8e89bbbdba6153e173a094ff42

    • SHA512

      55227147571247e282821651a3c0097322bbad696e9a0fd63d15e968f882078987d4e4308458d77322a7ccbef51088b7d02468d6a9a7e55eef77d3190eb4fb00

    • SSDEEP

      12288:y5fzk6jQUtGzdOTImOMZXggiUspKjDSy4AmjxSoLn6+1LkACCslHGBZXTrCyQdRR:SLQ1zCOiXg22y4Aex1gwslHGBdy3Rv6S

    Score
    10/10
    agentteslacredential_accessdiscoveryexecutionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks