Overview

overview

10

Static

static

3

Encomenda ...DF.exe

windows7-x64

10

Encomenda ...DF.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f2dc22107d1d30c43f9816d233adfc31_JaffaCakes118

  • Size

    440KB

  • Sample

    240923-wzhhvawfkn

  • MD5

    f2dc22107d1d30c43f9816d233adfc31

  • SHA1

    2718c1eec9106ed458e45ef316bdb0ddd4184709

  • SHA256

    2bffaa3bda985cdc40ec6e2b50afdd4861abc3c033cdff0b7dad164fcd4126a6

  • SHA512

    8983b9944e79c64a3fa067366c0e100f371bba5db11860a7fe4a66e64b5c6e87fd8bd6c353a9b7851ac705c47297f8f35a14a83d51fca2e7496c610cb76986b7

  • SSDEEP

    12288:K3CyP2T7E6vjmN01gkrqRCNs3S+UPPWeu:UCqmYA80frkUZq

Score
10/10
agentteslacollectioncredential_accessdefense_evasiondiscoverykeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    @infinitY1234

Targets

    • Target

      Encomenda Fornecedor nº 72718_____PDF.exe

    • Size

      852KB

    • MD5

      24375a782f56c2f74089c324839498b7

    • SHA1

      692d810e55ee330c478b50814febf6deb4d8a7a5

    • SHA256

      ee568c524241c42a0f17daa23dedb52e377c89270ccd4cfd5ca4a8177b0f6719

    • SHA512

      ff80044fe439a66512f9d5764f2b74fdcece9f39a7dacfab65b18f589091183fe2b9ac9ca86f104c553978b7bb72540fb107b47cbc9dc4e24b23e22f17c861ab

    • SSDEEP

      12288:nqiqKjrw8GoDTvWR5Khf4albmpNORhrhGrUi2:nqqE8HDrdN7RakzreU7

    Score
    10/10
    agentteslacollectioncredential_accessdefense_evasiondiscoverykeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla payload

    • System Binary Proxy Execution: InstallUtil

      Abuse InstallUtil to proxy execution of malicious code.

      defense_evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks