Overview

overview

10

Static

static

3

d1e1ba1e46...18.exe

windows7-x64

10

d1e1ba1e46...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d1e1ba1e46b2fa117748339ecb3e2f74_JaffaCakes118

  • Size

    503KB

  • Sample

    240907-n56tmatbjl

  • MD5

    d1e1ba1e46b2fa117748339ecb3e2f74

  • SHA1

    e21ff05dc707f559885e1b144b1ac0e228038640

  • SHA256

    7f7412de309c92d9c0c0491164ff919f39ffcb357f21cac3c40530e8c7ae5375

  • SHA512

    f60db184f89e6966a02804dadf9a3262f0b5da28970730723e856a961c85bde94bd9b7fb538640f6bf9d31ff9bd6db28cf9582f0f745a0fc522422a068ad9b88

  • SSDEEP

    6144:hVn8Y/2+3x5spUN1yY0zyZlrdEsDBYkTi/O8csNsLnAx9uIwFvEMfM:h58WhWmNEYOy9EsDBri28csNsLkRwea

Score
10/10
agentteslacollectioncredential_accessdefense_evasiondiscoverykeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.dveshop.ro/
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    9rqYPoA&j)Hv

  • Protocol:     ftp
  • Host:
    ftp://ftp.dveshop.ro/
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    9rqYPoA&j)Hv

Targets

    • Target

      d1e1ba1e46b2fa117748339ecb3e2f74_JaffaCakes118

    • Size

      503KB

    • MD5

      d1e1ba1e46b2fa117748339ecb3e2f74

    • SHA1

      e21ff05dc707f559885e1b144b1ac0e228038640

    • SHA256

      7f7412de309c92d9c0c0491164ff919f39ffcb357f21cac3c40530e8c7ae5375

    • SHA512

      f60db184f89e6966a02804dadf9a3262f0b5da28970730723e856a961c85bde94bd9b7fb538640f6bf9d31ff9bd6db28cf9582f0f745a0fc522422a068ad9b88

    • SSDEEP

      6144:hVn8Y/2+3x5spUN1yY0zyZlrdEsDBYkTi/O8csNsLnAx9uIwFvEMfM:h58WhWmNEYOy9EsDBri28csNsLkRwea

    Score
    10/10
    agentteslacollectioncredential_accessdefense_evasiondiscoverykeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • System Binary Proxy Execution: Regsvcs/Regasm

      Abuse Regasm to proxy execution of malicious code.

      defense_evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks