Overview

overview

10

Static

static

3

10029384756.exe

windows7-x64

10

10029384756.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    10029384756.exe

  • Size

    842KB

  • Sample

    241106-lfz9faznel

  • MD5

    8baafa32d7de3e0ba360e8df8c95e509

  • SHA1

    65555b69b67f242a68c83a1735d7764bcbb417a0

  • SHA256

    45a450142e00de4a60676d56cee58b35e2c59c0af562c7740cfc7c42c2175ba1

  • SHA512

    ce7b7897a037269e646f7f71d00100c463582f3b786f90b68916b4dd5ff9e60e3d85fdcf3cb1ecbef1de9c4ba21fb9a4770b50b97d8a3c0b6735a2062274d0d4

  • SSDEEP

    24576:lWO703h0R6ZL7h1sb1YDij7wt54gjOfHb:ookh0u91SYDrjc

Score
10/10
agentteslaguloaderdiscoverydownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://mail.hearing-vision.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    LILKOOLL14!

Targets

    • Target

      10029384756.exe

    • Size

      842KB

    • MD5

      8baafa32d7de3e0ba360e8df8c95e509

    • SHA1

      65555b69b67f242a68c83a1735d7764bcbb417a0

    • SHA256

      45a450142e00de4a60676d56cee58b35e2c59c0af562c7740cfc7c42c2175ba1

    • SHA512

      ce7b7897a037269e646f7f71d00100c463582f3b786f90b68916b4dd5ff9e60e3d85fdcf3cb1ecbef1de9c4ba21fb9a4770b50b97d8a3c0b6735a2062274d0d4

    • SSDEEP

      24576:lWO703h0R6ZL7h1sb1YDij7wt54gjOfHb:ookh0u91SYDrjc

    Score
    10/10
    agenttesladiscoverykeyloggerspywarestealertrojanguloaderdownloader

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • Guloader family

      guloader

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      fbe295e5a1acfbd0a6271898f885fe6a

    • SHA1

      d6d205922e61635472efb13c2bb92c9ac6cb96da

    • SHA256

      a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

    • SHA512

      2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

    • SSDEEP

      192:yPtkiQJr7V9r3Ftr87NfwXQ6whlgi62V7i77blbTc4DI:N7Vxr8IgLgi3sVc4

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks