Overview

overview

10

Static

static

1

Holiday.exe

windows7-x64

7

Holiday.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    06012025_1600_06012025_Holiday.7z

  • Size

    35KB

  • Sample

    250106-tkcb6ssrcn

  • MD5

    ad92bca098f644b1e209b63cc6be1e91

  • SHA1

    4174950f5211faef6f24ede5746d51211f1a4c94

  • SHA256

    4cf1c304f77df7bdf4d7768602b4749e4569b91724cb7466090a80425c12e0a9

  • SHA512

    8e231d3205795f0a9b12dd2a87fd8aa854a8349f0abf8af6ec2d34e38402f12d18a04b57849184906722cb6446abde361219a4f85128e27b9418724e788aca0c

  • SSDEEP

    768:KcuC+OSDbekxW34s0vIO20DOkR3qcZtOeRWvB0XBYVXYurGi:KvlbeWW37mKvyx8Yut

Score
10/10
agenttesladiscoverykeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    162.254.34.31
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    ABwuRZS5Mjh5

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      Holiday.exe

    • Size

      80KB

    • MD5

      7c337668aa535fb5bf4f544257b14e6a

    • SHA1

      ddb3dd9a43e8154469932a4a02ca54f02f351cf3

    • SHA256

      29222997a84ca691767245a9230f18ece9a4049fd48b39d8f3f207092e28022b

    • SHA512

      071d40b4671cd13e4ee55beab142095fdd781832cfb32500bb629e2a937c4602f46371eff4210dff769bc14a29b79faf55f9f1f9675316a031fd0e7cb163cff3

    • SSDEEP

      1536:ofwbYGb0vRpmKb4vYhCpd5Mlty1wI85u8Sz7IIdIggmj6sZYZ2SYyiJ/mH:zvUmKMAhCpYW1nY6y2/Y

    Score
    10/10
    discoveryagentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Drops startup file

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks