Overview

overview

10

Static

static

3

ZAMOWIEN.EXE.exe

windows7-x64

10

ZAMOWIEN.EXE.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

bassangern...er.com

windows7-x64

bassangern...er.com

windows10-2004-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ZAMOWIEN.EXE.exe

  • Size

    990KB

  • Sample

    241202-jptf5s1qeq

  • MD5

    92f4a16e61583401fdfd50a10968c13e

  • SHA1

    e90b5106e9cb3aa751e9f3ec63dff51e67238bb2

  • SHA256

    3ec0db2719a540246ea9bfecb36bf27b022a88c50e6a866187eda2480049bdf8

  • SHA512

    c408635513111fec341922701471b980698c9020667fb80c575db151f0055c685b27c25a16f6defaa87048251a848ed1316b7720b682e964a655def0d7fd0b4c

  • SSDEEP

    24576:fvCFfkjb7WrPHf4XTK/yiXQ8l9HZONDejqaBjiMD95g7I:yFfk7Qn4DKXXt+ej9iMD9F

Score
10/10
agentteslaguloaderdiscoverydownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.rusticpensiune.ro
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    hr,d@KUwa5llI%*RNL^J]g%8I;!;_Ne#G1h~lE!*86DAAD6#iLm$x)r+e1z$p+_Q,4_(f!};B?vD!IG?NqT[zOHNr6_nww[S]V?MlcYSt_QO

Targets

    • Target

      ZAMOWIEN.EXE.exe

    • Size

      990KB

    • MD5

      92f4a16e61583401fdfd50a10968c13e

    • SHA1

      e90b5106e9cb3aa751e9f3ec63dff51e67238bb2

    • SHA256

      3ec0db2719a540246ea9bfecb36bf27b022a88c50e6a866187eda2480049bdf8

    • SHA512

      c408635513111fec341922701471b980698c9020667fb80c575db151f0055c685b27c25a16f6defaa87048251a848ed1316b7720b682e964a655def0d7fd0b4c

    • SSDEEP

      24576:fvCFfkjb7WrPHf4XTK/yiXQ8l9HZONDejqaBjiMD95g7I:yFfk7Qn4DKXXt+ej9iMD9F

    Score
    10/10
    agentteslaguloaderdiscoverydownloaderkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • Guloader family

      guloader

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      0ff2d70cfdc8095ea99ca2dabbec3cd7

    • SHA1

      10c51496d37cecd0e8a503a5a9bb2329d9b38116

    • SHA256

      982c5fb7ada7d8c9bc3e419d1c35da6f05bc5dd845940c179af3a33d00a36a8b

    • SHA512

      cb5fc0b3194f469b833c2c9abf493fcec5251e8609881b7f5e095b9bd09ed468168e95dda0ba415a7d8d6b7f0dee735467c0ed8e52b223eb5359986891ba6e2e

    • SSDEEP

      192:eK24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35OlASl:u8QIl975eXqlWBrz7YLOlA

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      bassangerne/halvakse/sprtter.com

    • Size

      317KB

    • MD5

      2065053f8690386adb8cd35f9064c64c

    • SHA1

      ec62b55f8178b86c350e7b47490046f9b2fb1574

    • SHA256

      b74077f003fe05f1147d8c96a7deffe44c07cbcfc4f35cf9f97eec69f3e1d389

    • SHA512

      91e667b943e8e7cab1bb0441bf27170c1cea30253f2c3ea63c9ee305d262df3a7eb1ec1c115852995e6c6a6e01b3dec7b57a3418086471739a71639a7d5a0345

    • SSDEEP

      1536:ZlQllV6CDA7MPbmnsU16bMeUyDSKeVN/ABuS:SbwMzmYT1e4d

    Score
    1/10
    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks