Overview

overview

10

Static

static

3

d151f58e90...18.exe

windows7-x64

10

d151f58e90...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d151f58e907a40b4f3ce8f2f2abda15c_JaffaCakes118

  • Size

    754KB

  • Sample

    240907-hk3nkszhre

  • MD5

    d151f58e907a40b4f3ce8f2f2abda15c

  • SHA1

    4374363bbdbaa210c053eb37d638816f7bd11090

  • SHA256

    84da474dc9a86be051d5a30bd2c4715026e0faab0daf2950fcbebb8e46f907ad

  • SHA512

    ed992bdbda0cde1827d509cc0b25ec54fd3bba6e41ee6328334db36da0af525a32ffc8c5a21e385c294e0000f6f9bee537fadafebfbd70ed5a79fe37ecee47e6

  • SSDEEP

    12288:xY2SRgOu9uO2dm4rqoXa3p1dBuFAXbqtvLRcgZDy4z/Y:xxSJvObTV37de2gZW4s

Score
10/10
agentteslacollectioncredential_accessdiscoverykeyloggerpersistencespywarestealertrojanupx

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    bh-58.webhostbox.net
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    7213575aceACE@#$

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    bh-58.webhostbox.net
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    7213575aceACE@#$

Targets

    • Target

      d151f58e907a40b4f3ce8f2f2abda15c_JaffaCakes118

    • Size

      754KB

    • MD5

      d151f58e907a40b4f3ce8f2f2abda15c

    • SHA1

      4374363bbdbaa210c053eb37d638816f7bd11090

    • SHA256

      84da474dc9a86be051d5a30bd2c4715026e0faab0daf2950fcbebb8e46f907ad

    • SHA512

      ed992bdbda0cde1827d509cc0b25ec54fd3bba6e41ee6328334db36da0af525a32ffc8c5a21e385c294e0000f6f9bee537fadafebfbd70ed5a79fe37ecee47e6

    • SSDEEP

      12288:xY2SRgOu9uO2dm4rqoXa3p1dBuFAXbqtvLRcgZDy4z/Y:xxSJvObTV37de2gZW4s

    Score
    10/10
    agentteslacollectioncredential_accessdiscoverykeyloggerpersistencespywarestealertrojanupx

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks