Overview

overview

10

Static

static

3

New Purcha...er.exe

windows7-x64

10

New Purcha...er.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    217d85f6a328d9ddf17dcfaf94ec940a5d1a4d7f217b1f36e93f78f3bbb986f8

  • Size

    697KB

  • Sample

    241121-ha4swstpdj

  • MD5

    4fb19128614bdd9c178325cc80405651

  • SHA1

    744d03de21fa1b94772af0d133ed122d0e3c4b2b

  • SHA256

    217d85f6a328d9ddf17dcfaf94ec940a5d1a4d7f217b1f36e93f78f3bbb986f8

  • SHA512

    2815d335bc44d924d5b32ab1f2a2e6d09ec9543abcbc10751e0134ed7f9e6ebff22735c5765761ae1e6f8d829341c428ced9e6b91c1fd7c823189197ab4e8c76

  • SSDEEP

    12288:0Kv4H0zp+8uxK1ZpWXTjjEhMqL+8mfqgwnB18VapGL05R7KamcdsqqVyZkpz:0q4cw8ODHOMqLESg4Bt205Qah6VRpz

Score
10/10
agenttesladiscoverykeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.starmech.net
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    nics123

Targets

    • Target

      New Purchase Order.exe

    • Size

      959KB

    • MD5

      576bf1414c3a6cedb920100cffd76442

    • SHA1

      9cbed7b8a4d8a627efb136d56739c17736ae5fea

    • SHA256

      9af1bebf820242bdf04bc9a02ec681cac738353998ca9474716febfeb6bb200d

    • SHA512

      b4bec576df727d792e414733a37bcd593c0469fa9b45d475236873fc26b33e7c11095ae4df00af1fd6c2a6587c1c77e2c5f79151e6caba40d66ce8c96a6d1011

    • SSDEEP

      24576:3ijXbz23zxW9ozm3ai+BBvHLAGtMi5Qdsw:Kz29WYmtO5rFtMi8

    Score
    10/10
    agenttesladiscoverykeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks