Overview

overview

10

Static

static

1

INV9876545678900.exe

windows7-x64

10

INV9876545678900.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fc90f058384515ecbdd47e63c5b86bbfa12704e7a96ab9c6cc204e950dfabac6

  • Size

    523KB

  • Sample

    240905-k512laxapk

  • MD5

    535fddab9459feea595744cac297838c

  • SHA1

    714ec1533a2dfae43e121a2a27b8ca4046f3c85d

  • SHA256

    fc90f058384515ecbdd47e63c5b86bbfa12704e7a96ab9c6cc204e950dfabac6

  • SHA512

    b04509503373b08e8ff7bcdda0950043eacc9a1cd7c08dc3acd69dcdd93ebb7a4a8bc055c899d5ac60e5b9fa0d81e9fc31dbfbcf362cda8940778d51b8b1b3fa

  • SSDEEP

    12288:fp8YDFWIsD5uLWfbGv+7DCMDDHOz/yEgfWVqjBLPC2wrE:fptDFWIaDDBDHOr5sXFPC21

Score
10/10
agentteslacredential_accessdiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.antoniomayol.com:21
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    cMhKDQUk1{;%

Targets

    • Target

      INV9876545678900.bat

    • Size

      550KB

    • MD5

      247f47ee3588a622902610a70d3576bc

    • SHA1

      bf19df5857fc552b60284a8ece79f99b5fd6986b

    • SHA256

      28ea8947fa78ef77e6bb3c870348a5d578676737c5e5a0a258d46db72b54aa18

    • SHA512

      4ec7dfb15368b37e13cf775d8b8896bee729ee723e03186e9d5f8d87da1576cb6d6feea4e51535dd8563ceec6a279d9eeff8673a160847de911c81efa24c0617

    • SSDEEP

      12288:jHYHEW/ubbGn+71CMDRRqz3+EYfaVOjfLPSuwrg:UGHpLRRqb9k/3PSux

    Score
    10/10
    agentteslacredential_accessdiscoveryexecutionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks