Overview

overview

10

Static

static

3

SO#HY22090...22.exe

windows7-x64

10

SO#HY22090...22.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    20092024_0126_19092022_SO#HY220900065 NINGBOY-CN 1X40HQ ETD20922.zip

  • Size

    682KB

  • Sample

    240920-bth7zascmk

  • MD5

    aaab19627f225590b3d5302d961f6be4

  • SHA1

    bbf06cef59bb7458a2ea7e7a9f02154c5ac2641b

  • SHA256

    9151234e37e6a58a7d377f48e72ca5d6608f04ec7195092f1d00efe029f67970

  • SHA512

    58e9568d22b718d30005baed3ee6033a010f95338bfafc0ea38e999006f5642fda16a76fa7f50c141307c1df50c6ba029420b0c1e8835e98562618b4c785cfd7

  • SSDEEP

    12288:UQ2hh2RaqQlCjRiwSZqTaX6LMb1E/rIxmwgU/ztYnR4e/Gu4xk+Z2HWkt3zTV6:UQ2usnzK26LMi/MEyyR4e/GuisWkt3zI

Score
10/10
agentteslacollectioncredential_accessdiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.ru
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Tobenna1993

Targets

    • Target

      SO#HY220900065 NINGBOY-CN 1X40HQ ETD20922.exe

    • Size

      946KB

    • MD5

      91daa2c8f84ee89bd0e2f304286a3500

    • SHA1

      8e2d2f61ea0bc44aafa4ad99dcc0eae9d5f05a54

    • SHA256

      9dca9dc2fa637a134c0dc39061d53e95d5b9700c499f9a534edf0121f502e773

    • SHA512

      66f55167e32cd3067a42921d28e46dde04689e957c56c8c789eb54d27136685b2da44200557e85c02e1c6c2334c4a6a4ac9f2ac7868e8e06a10f725735c9d5e3

    • SSDEEP

      12288:HfQRi66lKjRiwgZqLMJ6FYb18/VIxmog6hztwJR4evCucx4GNVfsC:HfQADP406FY+/qcYWR4evCuWr

    Score
    10/10
    agentteslacollectioncredential_accessdiscoveryexecutionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks