Overview

overview

10

Static

static

3

Order_Requ...65.exe

windows7-x64

8

Order_Requ...65.exe

windows10-2004-x64

10

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    da60994601ad4b31f625a19d3eb1b5ddb57366d0570870ad3d1e96a7613ed609

  • Size

    819KB

  • Sample

    250117-bprzbayjfr

  • MD5

    541e681ec46a8fdc3123c57b0f5d7203

  • SHA1

    9ab51a66da89f0ebee0caf9d82ea05b11f457ae8

  • SHA256

    da60994601ad4b31f625a19d3eb1b5ddb57366d0570870ad3d1e96a7613ed609

  • SHA512

    5a1830d117f1dcd18d1071798104c0878ab88f0901a7cdf01ca211f3b13aac3bcfba6716f416481cee05ed3f15929d435d8682cd8a9a562ba190795ccbd4ef75

  • SSDEEP

    24576:odqi4g8NokSwS3rn4hJk6F5VOWcs5KS8GmJWK:odKg8NokbnLFDOWcpzUK

Score
10/10
agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    162.254.34.31
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    JaR4LTajHPY5

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      Order_Request SO-124465.exe

    • Size

      924KB

    • MD5

      23af09149a763422a984f75d1aee99f7

    • SHA1

      a744ec1977556c64257eade7e9f3bc8c903d14f9

    • SHA256

      3c0b9b0b239b7a68824a36d9d9e724af717ae05fca697e0563cf93e24a22e335

    • SHA512

      a8a6c94cbba7244de717508905af6791ffa8bd2a0a1e06776def50f76195deae3c9ff0a0e4922d76df5315654ee54e1ad1bc58e37871a255bce2f714f37dff00

    • SSDEEP

      24576:GuA8h591jcS39X+6RJNBIQll+hQT2jiux51:8K31P9X3RFIQlluQsx/

    Score
    10/10
    discoveryexecutionagentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Loads dropped DLL

    • Blocklisted process makes network request

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      51e63a9c5d6d230ef1c421b2eccd45dc

    • SHA1

      c499cdad5c613d71ed3f7e93360f1bbc5748c45d

    • SHA256

      cd8496a3802378391ec425dec424a14f5d30e242f192ec4eb022d767f9a2480f

    • SHA512

      c23d713c3c834b3397c2a199490aed28f28d21f5781205c24df5e1e32365985c8a55be58f06979df09222740ffa51f4da764ebc3d912cd0c9d56ab6a33cab522

    • SSDEEP

      96:W7GUaYNwCLuGFctpiKFlYJ8hH4RVHpwdEeY3kRlDr6dMqqyVgN738:Iygp3FcHi0xhYMR8dMqJVgN

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks