Overview

overview

10

Static

static

3

f1a872932a...c9.exe

windows7-x64

8

f1a872932a...c9.exe

windows10-2004-x64

10

Sakset.ps1

windows7-x64

6

Sakset.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f1a872932afe6964f188d3ddd0f2c2dfa639bfcdfd1baff74bdcd5eca8f815c9.exe

  • Size

    443KB

  • Sample

    241009-c3lj5azbmg

  • MD5

    e48da20cb37e235145461d1ef93d560e

  • SHA1

    cbea11aeb4c0ce13c251b5f9bf13560882602a9b

  • SHA256

    f1a872932afe6964f188d3ddd0f2c2dfa639bfcdfd1baff74bdcd5eca8f815c9

  • SHA512

    276d051174944b9fca11e21db397fb462296d870faf11fc41b57335acddf475f641df74f4ffadeeb38a014ee1819ad185ad08f3d16d62aeb73d456332ade56a0

  • SSDEEP

    6144:NqC56ALcmpQFbVySc2pMOooOZFC7PPH9OvuGnzH6JOSOs+VrPfh8RBq/q4+96YJ0:KA9WL5c2pE8PHZGT64P5aRIle5FVaFzf

Score
10/10
agenttesladiscoveryexecutionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.carbognin.it
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    59Cif8wZUH#X

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.carbognin.it
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    59Cif8wZUH#X

Targets

    • Target

      f1a872932afe6964f188d3ddd0f2c2dfa639bfcdfd1baff74bdcd5eca8f815c9.exe

    • Size

      443KB

    • MD5

      e48da20cb37e235145461d1ef93d560e

    • SHA1

      cbea11aeb4c0ce13c251b5f9bf13560882602a9b

    • SHA256

      f1a872932afe6964f188d3ddd0f2c2dfa639bfcdfd1baff74bdcd5eca8f815c9

    • SHA512

      276d051174944b9fca11e21db397fb462296d870faf11fc41b57335acddf475f641df74f4ffadeeb38a014ee1819ad185ad08f3d16d62aeb73d456332ade56a0

    • SSDEEP

      6144:NqC56ALcmpQFbVySc2pMOooOZFC7PPH9OvuGnzH6JOSOs+VrPfh8RBq/q4+96YJ0:KA9WL5c2pE8PHZGT64P5aRIle5FVaFzf

    Score
    10/10
    discoveryexecutionagentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Blocklisted process makes network request

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      Sakset.Res

    • Size

      52KB

    • MD5

      87d2841aab88bd011520d4b98298992f

    • SHA1

      cbdf74d62edcca1c96f44929c396383a405252f8

    • SHA256

      158c5134e2910f62d058a85124b81070ba5953276b7a0354ecb5fcc20db58b95

    • SHA512

      98d6af4ebafdd61012e0e8daf6c73526e016783f710bda0a17be859d9e9bf7411e914ff531d93b276f206713d47612a252d5bf27329044f8c7fb1a096311a603

    • SSDEEP

      1536:aTWK9EAa2SsfqrQwGXkNJAHBJOYhFQTWfT:aP9EOk0kshJNayT

    Score
    8/10
    executionpersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks