Overview

overview

10

Static

static

3

f4fae8a417...18.exe

windows7-x64

10

f4fae8a417...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f4fae8a41714f7aa38d04f98da78b23b_JaffaCakes118

  • Size

    512KB

  • Sample

    240925-c1632szejq

  • MD5

    f4fae8a41714f7aa38d04f98da78b23b

  • SHA1

    53de3e817137733e3f8820e8b566e3cc83c334e2

  • SHA256

    797e3b6340944e90b13c25b3c1c44427bfe5649bc8edfa2a23e3030331a0d2fa

  • SHA512

    0c369e7b47a4e61ded546a151f1244e2aa7a68073183f6632d27c3e2441d3e966ea31916c1381104cde8536e2a5b225b91a75ee5e15a65d6b95ad7bf6d85a3b8

  • SSDEEP

    6144:7Hd0/DOmnhSQ+3HwOcc0WQ0z/oDjYdWqLMVwOvI+91GVp5hT8aDZR2QSpfxDFVyO:Wzocc0WQg/oDjvVwOvRG74+kDPuryX

Score
10/10
agentteslacollectioncredential_accessdiscoverykeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.jkdb.com.sg
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    ikoh08ju11lee1976

Targets

    • Target

      f4fae8a41714f7aa38d04f98da78b23b_JaffaCakes118

    • Size

      512KB

    • MD5

      f4fae8a41714f7aa38d04f98da78b23b

    • SHA1

      53de3e817137733e3f8820e8b566e3cc83c334e2

    • SHA256

      797e3b6340944e90b13c25b3c1c44427bfe5649bc8edfa2a23e3030331a0d2fa

    • SHA512

      0c369e7b47a4e61ded546a151f1244e2aa7a68073183f6632d27c3e2441d3e966ea31916c1381104cde8536e2a5b225b91a75ee5e15a65d6b95ad7bf6d85a3b8

    • SSDEEP

      6144:7Hd0/DOmnhSQ+3HwOcc0WQ0z/oDjYdWqLMVwOvI+91GVp5hT8aDZR2QSpfxDFVyO:Wzocc0WQg/oDjvVwOvRG74+kDPuryX

    Score
    10/10
    agentteslacollectioncredential_accessdiscoverykeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla payload

    • Drops file in Drivers directory

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks