Overview

overview

10

Static

static

3

d094785ecc...18.exe

windows7-x64

10

d094785ecc...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d094785ecc5bbf49a83e3deac91a04d8_JaffaCakes118

  • Size

    723KB

  • Sample

    240906-2gc4as1emj

  • MD5

    d094785ecc5bbf49a83e3deac91a04d8

  • SHA1

    a7b5ab11f15d781f5d983043f42ec8b873d1bf19

  • SHA256

    967a436c612a4bb8d24551b05dec0a18b933033c5ed7a7b7fe883e8234b73a89

  • SHA512

    080630d4ed78fa2f595cc0aab60d2127d8b591fa38fd18d0012eb56bbb8d0d9e8e3b5dda8a1ed1df64602e7b7e9ca033bc3fae25ddd259af21958a8aff4402c9

  • SSDEEP

    12288:ncFUncJ54irus265GoqlDX1YH0COI+w7Ror6PpGg+l2K3RYUOk8vjeislQue0:NnYnuRcBIoGblBh8vhsmK

Score
10/10
agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojanupx

Malware Config

Targets

    • Target

      d094785ecc5bbf49a83e3deac91a04d8_JaffaCakes118

    • Size

      723KB

    • MD5

      d094785ecc5bbf49a83e3deac91a04d8

    • SHA1

      a7b5ab11f15d781f5d983043f42ec8b873d1bf19

    • SHA256

      967a436c612a4bb8d24551b05dec0a18b933033c5ed7a7b7fe883e8234b73a89

    • SHA512

      080630d4ed78fa2f595cc0aab60d2127d8b591fa38fd18d0012eb56bbb8d0d9e8e3b5dda8a1ed1df64602e7b7e9ca033bc3fae25ddd259af21958a8aff4402c9

    • SSDEEP

      12288:ncFUncJ54irus265GoqlDX1YH0COI+w7Ror6PpGg+l2K3RYUOk8vjeislQue0:NnYnuRcBIoGblBh8vhsmK

    Score
    10/10
    agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojanupx

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Drops startup file

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks