Overview

overview

10

Static

static

3

4e6450026a...46.exe

windows7-x64

10

4e6450026a...46.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4e6450026aa0051335554e3621972b18534bb1f114c9e9f5487e727493dbf546

  • Size

    711KB

  • Sample

    241123-ccnxka1lcp

  • MD5

    7304317ec761e83beefdb71e4b555211

  • SHA1

    6e464bd1b655567b288f66ce3e2e6b57e66fa820

  • SHA256

    4e6450026aa0051335554e3621972b18534bb1f114c9e9f5487e727493dbf546

  • SHA512

    a3765d9750a80d78b1fb3c53a639256532f76604f0a67c18e80e87781a5c79d43fef5e4db0f24e67384f87f4fd68cfd2fc4c1882e70be297609afbd5a24cb285

  • SSDEEP

    12288:t2s7flbJWhEGaLEy1Lgksh5gW3ed5baAOl:t2s7lbvlzsozdFanl

Score
10/10
agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.antoniomayol.com:21
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    cMhKDQUk1{;%

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.antoniomayol.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    cMhKDQUk1{;%

Targets

    • Target

      4e6450026aa0051335554e3621972b18534bb1f114c9e9f5487e727493dbf546

    • Size

      711KB

    • MD5

      7304317ec761e83beefdb71e4b555211

    • SHA1

      6e464bd1b655567b288f66ce3e2e6b57e66fa820

    • SHA256

      4e6450026aa0051335554e3621972b18534bb1f114c9e9f5487e727493dbf546

    • SHA512

      a3765d9750a80d78b1fb3c53a639256532f76604f0a67c18e80e87781a5c79d43fef5e4db0f24e67384f87f4fd68cfd2fc4c1882e70be297609afbd5a24cb285

    • SSDEEP

      12288:t2s7flbJWhEGaLEy1Lgksh5gW3ed5baAOl:t2s7lbvlzsozdFanl

    Score
    10/10
    agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • Drops startup file

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks