Overview

overview

10

Static

static

3

ed9108e451...18.exe

windows7-x64

10

ed9108e451...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ed9108e451b186aef422097128d25b49_JaffaCakes118

  • Size

    1008KB

  • Sample

    240920-pfh7pswdrl

  • MD5

    ed9108e451b186aef422097128d25b49

  • SHA1

    73cc62e566889b45505ffa3847fb041d35afff9e

  • SHA256

    258a33e1a09ea556a4aa613e79946c06b768e487a3fae7195ab84352748f099b

  • SHA512

    f82d3e4d5928bbbb866681907db3a3cd11aeb8ea8435ef6cbf6232485d55fc4a5488f1f927bc0f81f62958b011683e8e09743cddf023b08e670f8ca6a235120d

  • SSDEEP

    12288:uBQM7DJ9MJJpBBYDMm4mm12NA6n5TIjNG3cdpUkdd9lpWn5FAgPGkDc0OSuglZV:uBQM3YBuIst5TIZGGUkdZC5FAgP7Nu4

Score
10/10
agentteslacollectioncredential_accessdiscoverykeyloggerpersistencespywarestealertrojan

Malware Config

Targets

    • Target

      ed9108e451b186aef422097128d25b49_JaffaCakes118

    • Size

      1008KB

    • MD5

      ed9108e451b186aef422097128d25b49

    • SHA1

      73cc62e566889b45505ffa3847fb041d35afff9e

    • SHA256

      258a33e1a09ea556a4aa613e79946c06b768e487a3fae7195ab84352748f099b

    • SHA512

      f82d3e4d5928bbbb866681907db3a3cd11aeb8ea8435ef6cbf6232485d55fc4a5488f1f927bc0f81f62958b011683e8e09743cddf023b08e670f8ca6a235120d

    • SSDEEP

      12288:uBQM7DJ9MJJpBBYDMm4mm12NA6n5TIjNG3cdpUkdd9lpWn5FAgPGkDc0OSuglZV:uBQM3YBuIst5TIZGGUkdZC5FAgP7Nu4

    Score
    10/10
    agentteslacollectioncredential_accessdiscoverykeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks