Overview

overview

10

Static

static

5

3cf2c0aa30...1N.exe

windows7-x64

10

3cf2c0aa30...1N.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3cf2c0aa307a4485eb1f730d8e1289d1036ca9381a59ee74e49c26f1d9184e41N

  • Size

    865KB

  • Sample

    241002-xdh3xs1cpj

  • MD5

    d8404d85fa9f6980630b5ee00b4a90c0

  • SHA1

    c72db1e830c1ec09a813824c4cb14719ac1f011c

  • SHA256

    3cf2c0aa307a4485eb1f730d8e1289d1036ca9381a59ee74e49c26f1d9184e41

  • SHA512

    d01d9bd2423ed849f0447d533229224a8dea26bb041f1a4f70be655855d243f7d2843bb6b138fa653b8e0f0aca932139204942fadde795e99bea1279fad2de49

  • SSDEEP

    12288:4YV6MorX7qzuC3QHO9FQVHPF51jgcqxk2HW06fpZYxEkaOiOeuZmCxcdif1BWk:XBXu9HGaVHqHHafpEEoeVCSUfuk

Score
10/10
agentteslacollectioncredential_accessdiscoverykeyloggerpersistencespywarestealertrojanupx

Malware Config

Targets

    • Target

      3cf2c0aa307a4485eb1f730d8e1289d1036ca9381a59ee74e49c26f1d9184e41N

    • Size

      865KB

    • MD5

      d8404d85fa9f6980630b5ee00b4a90c0

    • SHA1

      c72db1e830c1ec09a813824c4cb14719ac1f011c

    • SHA256

      3cf2c0aa307a4485eb1f730d8e1289d1036ca9381a59ee74e49c26f1d9184e41

    • SHA512

      d01d9bd2423ed849f0447d533229224a8dea26bb041f1a4f70be655855d243f7d2843bb6b138fa653b8e0f0aca932139204942fadde795e99bea1279fad2de49

    • SSDEEP

      12288:4YV6MorX7qzuC3QHO9FQVHPF51jgcqxk2HW06fpZYxEkaOiOeuZmCxcdif1BWk:XBXu9HGaVHqHHafpEEoeVCSUfuk

    Score
    10/10
    agentteslacollectioncredential_accessdiscoverykeyloggerpersistencespywarestealertrojanupx

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla payload

    • Drops startup file

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks