Overview

overview

10

Static

static

3

CONSULTA#1...RE.exe

windows7-x64

10

CONSULTA#1...RE.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    CONSULTA#1604045 MATERIAL DE MUESTRA SEPTIEMBRE.exe

  • Size

    605KB

  • Sample

    240912-xsmpnazanm

  • MD5

    c6c117c18fead29fb0e5393139d0b0f2

  • SHA1

    73a18e382de6516dac2ffb386a7fbcbcd3bb4101

  • SHA256

    65a95ebb11d9f2916453cb3c2b7e45b583ba360af7bfd915547de103b78cfe5e

  • SHA512

    d92b5c3064bf186bf716f154df5a4c8309d359176a3f5abdb5ba317f3c6a6811afe4793349195b9471af7c176f74ad31835233ca1e18ba883382e820bcf58aca

  • SSDEEP

    12288:LziLE5mL2ElK5ZaogX46imb569QKOI5nETg9V0baQCtxNwho5aMqHF:CwIL2xZaomziC569H/9GajtjL5aMW

Score
10/10
agentteslacredential_accessdiscoverykeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.zoho.eu
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    office12#

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      CONSULTA#1604045 MATERIAL DE MUESTRA SEPTIEMBRE.exe

    • Size

      605KB

    • MD5

      c6c117c18fead29fb0e5393139d0b0f2

    • SHA1

      73a18e382de6516dac2ffb386a7fbcbcd3bb4101

    • SHA256

      65a95ebb11d9f2916453cb3c2b7e45b583ba360af7bfd915547de103b78cfe5e

    • SHA512

      d92b5c3064bf186bf716f154df5a4c8309d359176a3f5abdb5ba317f3c6a6811afe4793349195b9471af7c176f74ad31835233ca1e18ba883382e820bcf58aca

    • SSDEEP

      12288:LziLE5mL2ElK5ZaogX46imb569QKOI5nETg9V0baQCtxNwho5aMqHF:CwIL2xZaomziC569H/9GajtjL5aMW

    Score
    10/10
    agentteslacredential_accessdiscoverykeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      17ed1c86bd67e78ade4712be48a7d2bd

    • SHA1

      1cc9fe86d6d6030b4dae45ecddce5907991c01a0

    • SHA256

      bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

    • SHA512

      0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

    • SSDEEP

      192:eY24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35Ol+Sl:E8QIl975eXqlWBrz7YLOl+

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks