Overview

overview

10

Static

static

3

4e09705fc9...97.exe

windows7-x64

10

4e09705fc9...97.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4e09705fc9592258eaae7197c020154ca63dd68cb7bf86f72a764caccec0c397

  • Size

    639KB

  • Sample

    241124-bs75pssqhq

  • MD5

    5089336d3597b0bdb04bbe027e54082a

  • SHA1

    4d3abc99188696bf99e8c13aa97e7a57eeb74aab

  • SHA256

    4e09705fc9592258eaae7197c020154ca63dd68cb7bf86f72a764caccec0c397

  • SHA512

    a8b43672994925fdf8452cafd7bc0935bb62cec27099182d5f10a75b3dc266e77badfdb5bb1a57806c01382caa3fe4913a08b25d2b678486c46f452597b05846

  • SSDEEP

    12288:6Y7LJq4yAWNYqJFTPa2udBr5BvscpLnIhjEjE:665aYqtuD5B0yIhKE

Score
10/10
agentteslacollectioncredential_accessdiscoverykeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.sharpn.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    )^$(6$n3eSDoq@@##$$###

Targets

    • Target

      4e09705fc9592258eaae7197c020154ca63dd68cb7bf86f72a764caccec0c397

    • Size

      639KB

    • MD5

      5089336d3597b0bdb04bbe027e54082a

    • SHA1

      4d3abc99188696bf99e8c13aa97e7a57eeb74aab

    • SHA256

      4e09705fc9592258eaae7197c020154ca63dd68cb7bf86f72a764caccec0c397

    • SHA512

      a8b43672994925fdf8452cafd7bc0935bb62cec27099182d5f10a75b3dc266e77badfdb5bb1a57806c01382caa3fe4913a08b25d2b678486c46f452597b05846

    • SSDEEP

      12288:6Y7LJq4yAWNYqJFTPa2udBr5BvscpLnIhjEjE:665aYqtuD5B0yIhKE

    Score
    10/10
    agentteslacollectioncredential_accessdiscoverykeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • AgentTesla payload

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks