Overview

overview

10

Static

static

1

PROFORMA FATURA.exe

windows7-x64

10

PROFORMA FATURA.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a4ca1049041a6c889945c71e19a547d66741f20c60db451c0cea3451b990231b

  • Size

    624KB

  • Sample

    241003-j1jfbatall

  • MD5

    6e163d10ccb65a60d08fb628758ca874

  • SHA1

    c9d75a6070c5f4cdc3327998536dae4a82e21c6d

  • SHA256

    a4ca1049041a6c889945c71e19a547d66741f20c60db451c0cea3451b990231b

  • SHA512

    89bf3648497c5a1857ba6b23dcafd78760080c9f895a058735b41334fcb49210ff838a58d86e1b1126564fdc69cdfb023dadd6f2b3a8528d45a3071c324c5e3f

  • SSDEEP

    12288:WuJOAGf8+rbgYUdCP6wdg9vZlnw6/99OkJ9TaRxxkYv8HrmvTmsiO4RlAOj+:VEU+o0BiRlnVvJJ9GC/sT4p+

Score
10/10
agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    zqamcx.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Methodman991

Targets

    • Target

      PROFORMA FATURA.exe

    • Size

      804KB

    • MD5

      49c53c3c0868699a9cbe2ef3d5bfcb8e

    • SHA1

      3113b54138af9199fd97f96a42542541b6a8fdb3

    • SHA256

      0ad205b2d883bca56250246f308228379c27f6114d8b740014deeef53b3412bb

    • SHA512

      2a3a51767f4409a70e5fff84468a0aebd2eb7ea200f09aebdb2fb70274a4d25fa05c15e1194d4cbd3fe83d060d53aa4a584ae6449977af63d142b9d3ec82e7e3

    • SSDEEP

      12288:DrG4eUyzwoF6w7g9vZ7Bw6/992kJ9TaRdxkYv8HrAvTmeXNig8g7N5hkR:WvUClwR7BVvRJ9GOted77Ni

    Score
    10/10
    agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks