Overview

overview

10

Static

static

1

5b6d5819cc...9c.vbs

windows7-x64

10

5b6d5819cc...9c.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_cf0bf5de52bbc06c76d726f34f17d10fe3759a067c1a51b704eefba18efe65d4

  • Size

    1.6MB

  • Sample

    241223-wfvdaswpes

  • MD5

    686973a54f3b3f8ad33e80fde707cde3

  • SHA1

    c0341a3c900988c7ef427f3529311b439b0719d2

  • SHA256

    cf0bf5de52bbc06c76d726f34f17d10fe3759a067c1a51b704eefba18efe65d4

  • SHA512

    96e0caa217bc81055f7d8475889cb0add2e4356fee9cc83bd6927d72d6dc6243d6b13f6e46bacce535ecdf6f1028ca52c0d8db70508977fded7c769d9119e5f2

  • SSDEEP

    49152:x/It+Hx0o/k6knVeAA5msFIKOS4mcyFyPQL1lV17r:x/eMeo/kJVezLZUSyP+1ljv

Score
10/10
agentteslaquasarofficecollectioncredential_accessdiscoveryexecutionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5127674234:AAHGscjRk7JCDDCItFO4GPZfan-K7Hc89Z8/sendDocument

Extracted

Family

quasar

Version

1.4.0

Botnet

Office

C2

3.83.129.253:4747

Mutex

fa713452-a1f8-4da7-a382-97f45b1b5335

Attributes
  • encryption_key

    9C151EB9A0DBBD17722074A748153D56BF64F723

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      5b6d5819cc000436777cda63e9022fdd19b15a91451c7b8c4608db9fcf3d359c.vbs

    • Size

      2.4MB

    • MD5

      7a690238b7ada1318edede1f7190ac29

    • SHA1

      7c9df4979e1a5a9f205fc6c1e139112297ddc6bc

    • SHA256

      5b6d5819cc000436777cda63e9022fdd19b15a91451c7b8c4608db9fcf3d359c

    • SHA512

      e7c49f13ba5ba9c096c9c69746a2e908753ae3a2c03307c29d36a304023981a4bfc369776c1beff144c80dd7d4d4d47812054c86d4cbaddd8f665505c113af23

    • SSDEEP

      24576:CHZqNW+LcY+MC/2nd7xTFgLO3pCVXB0byLVswFtuUoQhAdWXAYK/ZB6rDVoWhCLm:2ZgU8ZEOgVR0OJt1oZB6HV7QUumt05y

    Score
    10/10
    agentteslaquasarofficecollectioncredential_accessdiscoveryexecutionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • AgentTesla payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

5
T1552

Credentials In Files

4
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Tasks