Overview

overview

10

Static

static

3

Documenti ...at.exe

windows7-x64

7

Documenti ...at.exe

windows10-2004-x64

10

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Documenti di spedizione 00039488580006996960.bat.exe

  • Size

    752KB

  • Sample

    240916-kwky1syfqb

  • MD5

    74b63fc7533ba2dfd75253a2ac5044f9

  • SHA1

    20c6f4f4db0e850f1506e7d89be267f2fa1b21e2

  • SHA256

    fbcceeb087e972ef29b0e3561a022aa4e6897cd78de77049e130e47bafcde554

  • SHA512

    ff82f9a7138fce1aca1c59fd0fc7b050d59a5c507af33beb599bec543b7b3c8186a7e7ece3c8aa47ef5383d115b06231e80bffc398598764fd642a7228e23bb1

  • SSDEEP

    12288:nXJaAf3gv3zDtlZcqY18aAV0uyXVU62+eqvIwLT6Q11m14VELQrr+ZuHu/bf95Ro:5aO3gvjs8JV0uyXE1w/K6ELDuO/J5e

Score
10/10
agentteslaguloadercredential_accessdiscoverydownloaderexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.concaribe.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    ro}UWgz#!38E

Targets

    • Target

      Documenti di spedizione 00039488580006996960.bat.exe

    • Size

      752KB

    • MD5

      74b63fc7533ba2dfd75253a2ac5044f9

    • SHA1

      20c6f4f4db0e850f1506e7d89be267f2fa1b21e2

    • SHA256

      fbcceeb087e972ef29b0e3561a022aa4e6897cd78de77049e130e47bafcde554

    • SHA512

      ff82f9a7138fce1aca1c59fd0fc7b050d59a5c507af33beb599bec543b7b3c8186a7e7ece3c8aa47ef5383d115b06231e80bffc398598764fd642a7228e23bb1

    • SSDEEP

      12288:nXJaAf3gv3zDtlZcqY18aAV0uyXVU62+eqvIwLT6Q11m14VELQrr+ZuHu/bf95Ro:5aO3gvjs8JV0uyXE1w/K6ELDuO/J5e

    Score
    10/10
    discoveryexecutionagentteslaguloadercredential_accessdownloaderkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      7f4a854abf13869f8b0f3c8952a1d4b0

    • SHA1

      41c1dc531094abb81e5c37a04e7b88da14dd3980

    • SHA256

      971b9daea9ad21621ac81776c13fdd899979ab920fed44c9066a41f60b961a4c

    • SHA512

      df775a146adb801659bfec3921cf66975c8fa1425c66081ac168dc6294151d4a05c0c478d3d86fb445176bc7e775bd0165e8900d4354783ecdb9fab58a612dbe

    • SSDEEP

      96:T7fhZwXd8KgEbAa9PweF1WxD8ZLMJGgmkNW38:0N8KgWAuLWxD8ZAGgmkN

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks