Overview

overview

10

Static

static

3

Awb 4586109146.exe

windows7-x64

7

Awb 4586109146.exe

windows10-2004-x64

10

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    03b4f637db3a78cb4fc89d4a3872b59eadbdf5d784b5496745e4a218fe109a99

  • Size

    750KB

  • Sample

    241218-j29nwsskep

  • MD5

    48edb19695ad6235724d41a39b669a5a

  • SHA1

    e14706b049b8f366aab8a361a41e0073ce61480d

  • SHA256

    03b4f637db3a78cb4fc89d4a3872b59eadbdf5d784b5496745e4a218fe109a99

  • SHA512

    019cf6b19a3bf0823d83c8db01a1156e05f4a41ba8990e168f3e0da23b88ef343b311a9f63cbc63b5140d53a7a27c03f152e1d734d3b6de485f913ce70767607

  • SSDEEP

    12288:vPxhEqc/wHUIpFPtHGDn+HHms1X94+wSO2sMowTOb/fN07wf3geDUm0RdQm5cv59:nrEqc/wHUQFPtmDOGsR94QO2s0TMfN0G

Score
10/10
agenttesladiscoverykeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.concaribe.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    ro}UWgz#!38E

Targets

    • Target

      Awb 4586109146.bat

    • Size

      776KB

    • MD5

      a3bb238f798a512f7465f804735b8f9a

    • SHA1

      31c7c96a95c22e7f4ab58b0f5330c4c79172be79

    • SHA256

      9775ae8b4fa626011fb022ede69e2ec2bec2b7868bb70bda276da0145b4b410f

    • SHA512

      4038f9e8b93e6e4dfa4f4b7493bb2e5988ee29a2d91029fa136549f424140cf0a77426d8739d40e95c5ac943681b384bdeb966d84bce0693c24d578220c1365e

    • SSDEEP

      24576:4dEqcVwnUAFPtUBCSoR94Ou2sgnqVNO7qg+E5cnj:HqcVwnhFPtU7oR3uIn6NAqDE5cnj

    Score
    10/10
    discoveryagentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/LangDLL.dll

    • Size

      5KB

    • MD5

      ab1db56369412fe8476fefffd11e4cc0

    • SHA1

      daad036a83b2ee2fa86d840a34a341100552e723

    • SHA256

      6f14c8f01f50a30743dac68c5ac813451463dfb427eb4e35fcdfe2410e1a913b

    • SHA512

      8d886643b4fc24adf78f76b663227d6e61863f89e0cbd49548f40dd040666ca94ea46bec9e336850e4f300995d56e6dc85b689c8e09ff46758822d280f06b03d

    • SSDEEP

      48:S46+/zTKYKxbWsptIpBtWZ0iV8jAWiAJCvxft2O2B8mxofjLl:z5uPbOBtWZBV8jAWiAJCdv2CmAL

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      0d7ad4f45dc6f5aa87f606d0331c6901

    • SHA1

      48df0911f0484cbe2a8cdd5362140b63c41ee457

    • SHA256

      3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

    • SHA512

      c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

    • SSDEEP

      192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6

    Score
    3/10
    discovery
    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks