Overview

overview

10

Static

static

3

bill of la...nt.exe

windows7-x64

10

bill of la...nt.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0c3b9a7f5c742160a0a806156701545a_JaffaCakes118

  • Size

    717KB

  • Sample

    241002-yjw3eaxckb

  • MD5

    0c3b9a7f5c742160a0a806156701545a

  • SHA1

    a78620e3fa4d50ab0b07ab5253b89ef7dba4152d

  • SHA256

    9f824ba3474b90684904530bc8fcdc7587ed86a527cb881386b224d7b5b8ed33

  • SHA512

    97ebe0f1a9b4d01290ad4f4cdbb017b50cf9af8fc27ef6ab6232dc975bef483fb92f6bce315ff19240c1052badec2784454dd3a087e8c8763fa9ff25154c7e30

  • SSDEEP

    12288:4SPEw0heOL1kK9ZpcTKNGm0oM+h2ei4LRNUTaGwZRlM3wH7AAbpSyBD1durksLi1:6w0TZ59nh0oMDD4LRNUTarZRenTyBBdx

Score
10/10
agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.turkticaret.net
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Ackr.2410

Targets

    • Target

      bill of lading and certificate of origin = container shipping document.exe

    • Size

      975KB

    • MD5

      d1683088475ef4670b55c3a1b3a68eb5

    • SHA1

      24e980c93491f3ab64acd78e87eb8dfeda8d141e

    • SHA256

      6e15e0a1a16d9b751be92a7407ff5412c3f32129f9d9ef5cf6ae4ea3e88edc7e

    • SHA512

      c0569a612c22b63ae24ed0db069682accb183e0d9fdf8e47b4c80b33f0ac0a23f018ca1e2140361d60fc092287782b4dc6bdaecda3f3f2b0f1329f02b921576c

    • SSDEEP

      24576:z5mKPPp9AR95y9N0v1wEB+d1xU58KUk2XqAZ:NLPpKRyYv+EE/xK1xA

    Score
    10/10
    agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

5
T1552

Credentials In Files

4
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Tasks