Overview

overview

10

Static

static

3

Dhl Contact Form.exe

windows7-x64

10

Dhl Contact Form.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d277575c37a75e86f9ab5e550e11cbf8_JaffaCakes118

  • Size

    643KB

  • Sample

    240907-v14l2avgrm

  • MD5

    d277575c37a75e86f9ab5e550e11cbf8

  • SHA1

    57d3942e83d1a19fe0613317ba7ce5fbedbdd9e6

  • SHA256

    44e849db1720b5792bd5fdaaa836febe70b46f16dd3bc34575a1dfa5c9cb76bc

  • SHA512

    4184cb7701499970e2f5723a6e9dfc6526afc88d9bea16400618fb1456d1edc7e2b51d9506920950efd706d98685ba5e2b4b91080dc478e83b9d4d6b8a66e833

  • SSDEEP

    12288:CkSOJDXgHVYgQLKnO+p+4tM/szeGlnF3RP3c3yHVvfVd7w8sdCokqKTxojNSCNk:CkSsoRvnzi4LfcC1f7739qE6jNvNk

Score
10/10
agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.picprotect.ro
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    marketing

Targets

    • Target

      Dhl Contact Form.exe

    • Size

      727KB

    • MD5

      fcad5da5a6979b13f69461436c7d70d3

    • SHA1

      b2cbe7e8642e234d541c3734f328375b0473f6f3

    • SHA256

      a8e3aa38bc5411b933613c703086a892234231639204d40df93831d6062423c7

    • SHA512

      42ad6ed4d26fd49255b497d20176c74c6d55520f1265cfd2c7bf1f1f46741be92be148d4402e3e3990e8f27a4996fa47da20c61f5fff94f3cd000589ccc125d2

    • SSDEEP

      12288:x3QrPihTKSNDJkJVYMiLmnA+p+4BM/EzOU3nFtdPZcryfNvf5z76msfyaEyobpoa:xdTKEoh/nlOgthceFfl75xyESTNbQ

    Score
    10/10
    agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks