Overview

overview

10

Static

static

3

Quotation#...28.exe

windows7-x64

10

Quotation#...28.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e45a496d51c0052b37ce30648e8902cd_JaffaCakes118

  • Size

    724KB

  • Sample

    240916-j41trsxcqf

  • MD5

    e45a496d51c0052b37ce30648e8902cd

  • SHA1

    5f491ef97387f68fd8d3d3c5f6da040b47dd5d70

  • SHA256

    b5407867280ebab5a6ae8ae4878a36108b33d78976a0f5c4697e03ac17327193

  • SHA512

    cb4a6783202d85ec07eb8bcece51d47d3334094a2b4c3ac468f6763b169610ea79ebd12f176e240606a04b6d88eeb2d2c8e703638feda1434127a165016634b1

  • SSDEEP

    12288:u39mInOx92atpqWJ3Ni/Bxt9hBDw5BOJYERLvgGonqlrugvkbQFNCH8OgytL:K+WWJ3NKBhDwFCchqlr7wSi8IL

Score
10/10
agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    ikechukwu123456789

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    ikechukwu123456789

Targets

    • Target

      Quotation#[email protected]

    • Size

      889KB

    • MD5

      98d9d150c0b4afc30efd34c22e176f56

    • SHA1

      ba286afad44a3f4f514aff7f1dca1c159f8cbec0

    • SHA256

      c9c89543724cc2517b6f7a873f9c33cc055c237829c65a268dbdf64a21b4dd95

    • SHA512

      8f03ca7edaebc084f20609f8005b85d8a0fc5d18187f67179b6799dd9c5c337a9584714bbafe9eedf6dbc405787b38b3fdbef723590fd16a4da7ab9b0571ca31

    • SSDEEP

      24576:WyBtjmCojfzv3J3LTT3onKLMplOBLG6+:J72fzv3ZbT0l

    Score
    10/10
    agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks