Overview

overview

10

Static

static

3

d0673f0aef...18.exe

windows7-x64

10

d0673f0aef...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d0673f0aefa51f422689139dda0d0d77_JaffaCakes118

  • Size

    515KB

  • Sample

    240906-zbheqawfql

  • MD5

    d0673f0aefa51f422689139dda0d0d77

  • SHA1

    04a830953c15316af8d0d5bcfdcb503b8d8d0b16

  • SHA256

    96539b6521bb0e7d64a0dfb6f0adf11ad2789dfe5da37d0dc50aca8db4911c33

  • SHA512

    9c9427aa1b887776b4de0936513885b0d5d23e3c6300bc59bd8152669863ffdfbfa3bbd60bc74066ad61df2a1fb2fc6b75870ca1b966c6b3fd9a2c3c99fc6bdb

  • SSDEEP

    12288:Tv86WJ91On67RpX/PkJYm1I2I72qJWOZdSKXmPB0Ii:T86g1O67TPkJH9I/J/ZUu

Score
10/10
agentteslacollectioncredential_accessdiscoverykeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    mommy2158

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    mommy2158

Targets

    • Target

      d0673f0aefa51f422689139dda0d0d77_JaffaCakes118

    • Size

      515KB

    • MD5

      d0673f0aefa51f422689139dda0d0d77

    • SHA1

      04a830953c15316af8d0d5bcfdcb503b8d8d0b16

    • SHA256

      96539b6521bb0e7d64a0dfb6f0adf11ad2789dfe5da37d0dc50aca8db4911c33

    • SHA512

      9c9427aa1b887776b4de0936513885b0d5d23e3c6300bc59bd8152669863ffdfbfa3bbd60bc74066ad61df2a1fb2fc6b75870ca1b966c6b3fd9a2c3c99fc6bdb

    • SSDEEP

      12288:Tv86WJ91On67RpX/PkJYm1I2I72qJWOZdSKXmPB0Ii:T86g1O67TPkJH9I/J/ZUu

    Score
    10/10
    agentteslacollectioncredential_accessdiscoverykeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks