Overview

overview

10

Static

static

3

d980643c1c...18.exe

windows7-x64

10

d980643c1c...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d980643c1c2d283b1a20ef5efb133514_JaffaCakes118

  • Size

    465KB

  • Sample

    240911-djfp7szglg

  • MD5

    d980643c1c2d283b1a20ef5efb133514

  • SHA1

    b26f5f4dbd42aa5e7e2106c721638132a9bf4486

  • SHA256

    cc48e4f310d824fbd5cfd4a236d25f0ed3c3e1c2379ae8220cefbb2d2d9afa10

  • SHA512

    18014340c0fa5d6a64cb81788fdcd5e4bc6ed4d634893b1042a338e6da2ec31121da412f4394aa5a6acba91e9adc051e5ec3e16f88d71190e221439c47e51ca4

  • SSDEEP

    6144:WEdbB5SOMk1+itLCFL9LLWIZkiigZR09GUff31TF0zUvg0HDj8RngTn0Xmw3JlKt:vbB5SwwFZLWISiiwBUfflTGg3IXmw

Score
10/10
agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.epaindemgroup.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    jpoxPg3q

Targets

    • Target

      d980643c1c2d283b1a20ef5efb133514_JaffaCakes118

    • Size

      465KB

    • MD5

      d980643c1c2d283b1a20ef5efb133514

    • SHA1

      b26f5f4dbd42aa5e7e2106c721638132a9bf4486

    • SHA256

      cc48e4f310d824fbd5cfd4a236d25f0ed3c3e1c2379ae8220cefbb2d2d9afa10

    • SHA512

      18014340c0fa5d6a64cb81788fdcd5e4bc6ed4d634893b1042a338e6da2ec31121da412f4394aa5a6acba91e9adc051e5ec3e16f88d71190e221439c47e51ca4

    • SSDEEP

      6144:WEdbB5SOMk1+itLCFL9LLWIZkiigZR09GUff31TF0zUvg0HDj8RngTn0Xmw3JlKt:vbB5SwwFZLWISiiwBUfflTGg3IXmw

    Score
    10/10
    agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks