Overview

overview

10

Static

static

3

ea1badd46d...18.exe

windows7-x64

10

ea1badd46d...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ea1badd46d183142218716bdf139ecbe_JaffaCakes118

  • Size

    1.0MB

  • Sample

    240918-2nva6axdll

  • MD5

    ea1badd46d183142218716bdf139ecbe

  • SHA1

    2df43b51739ea6968cead8b3d2653bd1a8251c71

  • SHA256

    49ca0542dd6b090018e6038282f87d3fc77efdc6f70d9efb473bd3c6172c1807

  • SHA512

    765f15dd2e23c6000ce958d3f4fc63324d166c015677d98d3f458f91e2cef499cf6cbbaf18d93d8eb404017bc491e67b2cca21a91e89762e31c3affb7beeb09b

  • SSDEEP

    12288:iBouOZt24MOVIiaJHyIeNCWZGV/iXtmGxwz06wl740e/OKe5l9BuI8pqb5Nphz1K:0OZcOVo5eQyGVAtV2

Score
10/10
agentteslacollectioncredential_accessdiscoverykeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yatchbabara.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    j$Mk$NE7

Targets

    • Target

      ea1badd46d183142218716bdf139ecbe_JaffaCakes118

    • Size

      1.0MB

    • MD5

      ea1badd46d183142218716bdf139ecbe

    • SHA1

      2df43b51739ea6968cead8b3d2653bd1a8251c71

    • SHA256

      49ca0542dd6b090018e6038282f87d3fc77efdc6f70d9efb473bd3c6172c1807

    • SHA512

      765f15dd2e23c6000ce958d3f4fc63324d166c015677d98d3f458f91e2cef499cf6cbbaf18d93d8eb404017bc491e67b2cca21a91e89762e31c3affb7beeb09b

    • SSDEEP

      12288:iBouOZt24MOVIiaJHyIeNCWZGV/iXtmGxwz06wl740e/OKe5l9BuI8pqb5Nphz1K:0OZcOVo5eQyGVAtV2

    Score
    10/10
    agentteslacollectioncredential_accessdiscoverykeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks