Overview

overview

10

Static

static

3

RFQ Delive...el.exe

windows7-x64

10

RFQ Delive...el.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f8b80b684a426df61d8b673471f808d5_JaffaCakes118

  • Size

    340KB

  • Sample

    240926-tervnswarp

  • MD5

    f8b80b684a426df61d8b673471f808d5

  • SHA1

    2035c8d4ecc43dbeb4cf9952fc66970f01fb3edd

  • SHA256

    acc1283fdd8eb6fc76069a30db6f082461fe87bc470cfc6fda0873c08f99ba13

  • SHA512

    ca13c6feba322004801b7258db35f5769fe26a0c19614b379734d97bf3d56bff45023e7b7f718778b8a804c6c39586c9194d82166f0b6c353707d5591cc0b0e4

  • SSDEEP

    6144:979SGCLa+LkpKcyAdYrNtc0q+ISGJsF3Kx+9Vo67nMSEvrHnqfh18Sch0UP3Uf7G:h9dCmYkpPy/g0q+3GJsFpu67nMPvDqpa

Score
10/10
agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojanupx

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    zgZsPQ$0

Targets

    • Target

      RFQ Delivery 3 Stones Excel.exe

    • Size

      857KB

    • MD5

      ee4a98eb8c3adef7708a6974f5931b25

    • SHA1

      d45813a6b419be0a4cea2a07ef7cb8a75e261293

    • SHA256

      a2e301c703d79b6d39f84d4135ff8bb2681500b1da30d034285453d5cb493a55

    • SHA512

      b6ae06d0dc4a0c0c3cf273fcfa6c3afd47377ee27e87276a0e17451d067fd0156d38c99b231e2d7dd28a4c0b386267a3fe97aa4995e9daa0e54b36eaa401f5b2

    • SSDEEP

      12288:l59M/CUUzFaobCO4kBSzCg6UPH//tg+QZYhyFMVBuWj+5286A28nV67a4z:lrYUhzRsCg6Yn++QKySKq7bAhVUz

    Score
    10/10
    agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojanupx

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla payload

    • Drops startup file

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks