Overview

overview

10

Static

static

3

3.exe

windows7-x64

7

3.exe

windows10-2004-x64

10

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3.exe

  • Size

    1.2MB

  • Sample

    240911-ryctrawbkm

  • MD5

    ec91d57cb541b3d5867b4972b0883f44

  • SHA1

    77a05550a12646964b23404fca934e6dad232d6e

  • SHA256

    0d51cc75a747abb0b17f859c228b2c15dfea604e90172af3571aa78183a654e8

  • SHA512

    84c8d5cc8d5eaf91a5f7b25eca2d0916dad5c39da9d01375bf7d328c2f8251fad6d57700fa249de03876ffa463c6f85102aa796b02741cd3f6b2602e5a469b88

  • SSDEEP

    24576:IPty3zTcFJHXIh+8xHBe7JvIKSpcG/pQd:IPQ3zTUXMxHYYpcG/2

Score
10/10
agentteslacredential_accessdiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://mail.hearing-vision.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    LILKOOLL14!

Targets

    • Target

      3.exe

    • Size

      1.2MB

    • MD5

      ec91d57cb541b3d5867b4972b0883f44

    • SHA1

      77a05550a12646964b23404fca934e6dad232d6e

    • SHA256

      0d51cc75a747abb0b17f859c228b2c15dfea604e90172af3571aa78183a654e8

    • SHA512

      84c8d5cc8d5eaf91a5f7b25eca2d0916dad5c39da9d01375bf7d328c2f8251fad6d57700fa249de03876ffa463c6f85102aa796b02741cd3f6b2602e5a469b88

    • SSDEEP

      24576:IPty3zTcFJHXIh+8xHBe7JvIKSpcG/pQd:IPQ3zTUXMxHYYpcG/2

    Score
    10/10
    discoveryexecutionagentteslacredential_accesskeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      b38561661a7164e3bbb04edc3718fe89

    • SHA1

      f13c873c8db121ba21244b1e9a457204360d543f

    • SHA256

      c2c88e4a32c734b0cb4ae507c1a9a1b417a2375079111fb1b35fab23aedd41d9

    • SHA512

      fedcaac20722de3519382011ccf22314af3edcd11b69f814db14710966853b69b9b5fc98383edcdb64d050ff825264eaba27b1c5adfe61d1fc9d77f13a052ced

    • SSDEEP

      96:f7GUxNkO6GR0t9GKKr1Zd8NHYVVHp4dEeY3kRnHdMqqyVgNPS3e:zXhHR0aTQN4gRHdMqJVgNPR

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks