Overview

overview

10

Static

static

3

GENIC MARK...ST.exe

windows7-x64

10

GENIC MARK...ST.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d44d608b8daa79716f90ceb564394d5d_JaffaCakes118

  • Size

    564KB

  • Sample

    240908-n3jw3sxbkf

  • MD5

    d44d608b8daa79716f90ceb564394d5d

  • SHA1

    8d40eafe3334b0d2be6a5d6de8f625f9ab6bd36b

  • SHA256

    dcd01828e8e3496dfbbd1c9c1a2715f0cbbf3149eb4a5e8601fa8f199b3f953f

  • SHA512

    448939cfbd8b639613f0498e748afcb4375b7a4c126331a4266395c2b97a8dbb802e269d2c2264ccb5fa4b780028f262b66795fc431faa32d11dba84a01dd0cb

  • SSDEEP

    12288:F4LZWYoGfSg9Gp5b+W2xqcb6N6DnTzDvi2c:IiI45b+Wsqcb6N6vri2c

Score
10/10
agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.starkdxb.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    $Tark2017#

Targets

    • Target

      GENIC MARKETING PVT. LTD - RFQ LIST.exe

    • Size

      748KB

    • MD5

      daeb1336cd30df8a47a651decc6a1c87

    • SHA1

      59f860eb5a36608ceea30706f736f6b014376db5

    • SHA256

      74ab856c2d5235f78fa546a5086abab294bebfa2ae9550345e272f6a645f6d80

    • SHA512

      c4a5c5658c1fb062b1984692246eae5710f2a6af5b789e2e10aee2e39fbb76fc697c6a484f3ecfc91a495491219580568b6028cd7f290845fd1c305e8c88f085

    • SSDEEP

      12288:RBRbG/u4SZEgn05KWSXM8NkjCgjrP59NulerK4lBJzHCHJhK2iNXizwoz+axwE46:R94Pc9WS0jCqrxjuIZTBC7K1qLII

    Score
    10/10
    agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks