Overview

overview

10

Static

static

3

5132456s2.exe

windows7-x64

7

5132456s2.exe

windows10-2004-x64

10

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5132456s2.bat

  • Size

    726KB

  • Sample

    240920-fxh4la1bqn

  • MD5

    420ec722d368c827be0a307959f370a6

  • SHA1

    2932ed205ee2a08af3fa518de38355a67f49b50a

  • SHA256

    f585e6456d94d55f7066b196ae8d5032a7c3e7dd4ddf56c31c72fc0d3ad4fe3a

  • SHA512

    bd7efce77093a2d9861e51ce37bfae4c3ca199b851f419a3c4296abd3492b27737318b99de880d15601ee4aec38f8bf05cd2f79e898e2e8d9093bede900acdee

  • SSDEEP

    12288:0XZEFyI6M3BiMdgUB27X6SVn0GY5g0CeD43JZHVDwrG8qjWKsG4h8/zu8n8RPa+A:0XeFb6Een6S0GYBiRVmqjWJG4hchn8op

Score
10/10
agentteslaguloadercredential_accessdiscoverydownloaderexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://mail.hearing-vision.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    LILKOOLL14!

Targets

    • Target

      5132456s2.bat

    • Size

      726KB

    • MD5

      420ec722d368c827be0a307959f370a6

    • SHA1

      2932ed205ee2a08af3fa518de38355a67f49b50a

    • SHA256

      f585e6456d94d55f7066b196ae8d5032a7c3e7dd4ddf56c31c72fc0d3ad4fe3a

    • SHA512

      bd7efce77093a2d9861e51ce37bfae4c3ca199b851f419a3c4296abd3492b27737318b99de880d15601ee4aec38f8bf05cd2f79e898e2e8d9093bede900acdee

    • SSDEEP

      12288:0XZEFyI6M3BiMdgUB27X6SVn0GY5g0CeD43JZHVDwrG8qjWKsG4h8/zu8n8RPa+A:0XeFb6Een6S0GYBiRVmqjWJG4hchn8op

    Score
    10/10
    discoveryexecutionagentteslaguloadercredential_accessdownloaderkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      7KB

    • MD5

      11092c1d3fbb449a60695c44f9f3d183

    • SHA1

      b89d614755f2e943df4d510d87a7fc1a3bcf5a33

    • SHA256

      2cd3a2d4053954db1196e2526545c36dfc138c6de9b81f6264632f3132843c77

    • SHA512

      c182e0a1f0044b67b4b9fb66cef9c4955629f6811d98bbffa99225b03c43c33b1e85cacabb39f2c45ead81cd85e98b201d5f9da4ee0038423b1ad947270c134a

    • SSDEEP

      96:JgzdzBzMDhOZZDbXf5GsWvSv1ckne94SDbYkvML1HT1fUNQaSGYuHIDQ:JDQHDb2vSuOc41ZfUNQZGdHA

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks