Overview

overview

10

Static

static

5

COSCO SHIP...sx.exe

windows7-x64

10

COSCO SHIP...sx.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4559ddb0281b2b3c4dfa0a0dbdd7fa3d870e6744f5bb19d1b6575ac798d92374

  • Size

    899KB

  • Sample

    241015-jrfytsxcjm

  • MD5

    49b1d2a39bc371788b0f3bdbb138e95a

  • SHA1

    f66dacc1b53cedd0f519226645cfd959e0197ce5

  • SHA256

    4559ddb0281b2b3c4dfa0a0dbdd7fa3d870e6744f5bb19d1b6575ac798d92374

  • SHA512

    7fd222c73544a3ffd94ff9bb9e81f2d7f6d40fea0aeebbd59efd5e0b191024a4240fd58e959ae8142b9d81f0bc6d201432b6cf18233382b8c84a9f63877d7461

  • SSDEEP

    24576:XXk0FilGDo54i9Erh1WW/0EGoU0tXTDrbbXimKGLlx:XXFS6aed0IUEXTf3SmJT

Score
10/10
agenttesladiscoverykeyloggerspywarestealertrojan

Malware Config

Targets

    • Target

      COSCO SHIPPING WISDOM SHIP PARTICULARS.xlsx.exe

    • Size

      1.2MB

    • MD5

      8f8efad685362993d81ff8a2316e545b

    • SHA1

      06004934a883422e375886bf537fdb8e13300071

    • SHA256

      680053fa589159be381eefbb2dc016960a91beefe3d976e742000008be43067a

    • SHA512

      28a29bdd536acc34d262843486ccb27d01bb90866a4c517df5ff3d3a320aec1c5605508cf0cdbe3af34626af1178dd1733a159de2385684989c73d4d4b98aa83

    • SSDEEP

      24576:ffmMv6Ckr7Mny5QLbj6ngZtjU61JzjPyHGLXZndu1Cu7:f3v+7/5QLbj66tjUO/Pym7ZGv

    Score
    10/10
    agenttesladiscoverykeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks