Overview

overview

10

Static

static

3

Shipping D...ts.exe

windows7-x64

10

Shipping D...ts.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    dbb7bb571bc13a2d2764a0b8f9c2d8d8_JaffaCakes118

  • Size

    545KB

  • Sample

    240912-dtz7laydpl

  • MD5

    dbb7bb571bc13a2d2764a0b8f9c2d8d8

  • SHA1

    206c16780a8168525e942e2e1788eb69480a53c6

  • SHA256

    ea07adb62af5f417245acf78e0efd7ec9f992716ab7cee0a3bd0596c659ca2ab

  • SHA512

    1020c003e19d36603a557c57eeab83d19dc48ac604157af041f7c43d93b0b0e81c845b17ab92df12f063d715fa3365082c5845079b9c876436481f5983c426c8

  • SSDEEP

    12288:aRUUiYp0bezcKXZDQsnkp8rnU5z7eyJw/FdHyheDsEQtb7:vF3ezcKXBQBp8jCtmNdSoDsBv

Score
10/10
agentteslacollectioncredential_accessdiscoverykeyloggerpersistenceprivilege_escalationspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    ikem123456789

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    ikem123456789

Targets

    • Target

      Shipping Documents.exe

    • Size

      640KB

    • MD5

      bc9e1181532d4dd1bec7892854cf4e44

    • SHA1

      30db28aadd0437d64625ce02b4633ad30698b4c4

    • SHA256

      fdd5093396ad658edb3b5ebd26f9760100773b33c615012df934e78a2009885d

    • SHA512

      345d458874ed9a67c5c32a62d87f64ee2a76cc35d7b0d6ff25b75894fb082b6e95eaaeb4395db7787d5ce8a9991ef07199ac04445947008e6d1ab934aa46d5fe

    • SSDEEP

      12288:o4pnIl9vnHoZJfdLbsU8YssGfR9GDg+KnhsU7v9aBHHniL7jGt+UR5UrC4ikrV8x:A/Hj1adHv+YurQ5

    Score
    10/10
    agentteslacollectioncredential_accessdiscoverykeyloggerpersistenceprivilege_escalationspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks