Overview

overview

10

Static

static

5

checksums.txt

windows10-ltsc 2021-x64

10

tmp000013a4.exe

windows10-ltsc 2021-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    tmp000013a4.zip

  • Size

    966KB

  • Sample

    250120-zk4djsykal

  • MD5

    e37e047280d93a217170d473c96fa9e5

  • SHA1

    61068fcfb850b1d974a722c5146ed13b0be93d62

  • SHA256

    ad16c93eff7210ba69a2491146598c99b0481f424a109ff823600fc1bf2193f1

  • SHA512

    c59121585bdf9b2f35e67e8b0b3586cdfccf5a4824d230674eed2916bc2f9a03d0c2227f2b4db0a288f9ea2e2ea0ca763eefddd54e34dd628dffa3af9f7bb257

  • SSDEEP

    24576:x6PutySwzwW1tQwyNlbBHCRL7SMDEg5983MZwrQQPrp/2cHN:mutySvKtQRbBmmMAyWMs9Prp/2cHN

Score
10/10
agenttesladiscoverykeyloggermotwphishingspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.fosna.net
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    (=8fPSH$KO_!

Targets

    • Target

      checksums.txt

    • Size

      46B

    • MD5

      724f12365710cd015e8779b2255d5fb6

    • SHA1

      22e2b5360e443dd993a58b845fe3fd6864b4bcf3

    • SHA256

      d7cea7146807268c22d5c4e9d53905bb274cd5407b04a89cfb9364a99b1a9c21

    • SHA512

      8095938d2bfe0072c9a1f3afb158032d3b6f747ebec3bf56dabac6bc4cb5dc6c189b9ffd635547dbd99ae40b29bd06afc346920af470dcd3ab985e0b98ca5a3c

    Score
    10/10
    agenttesladiscoverykeyloggermotwphishingspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Mark of the Web detected: This indicates that the page was originally saved or cloned.

      phishingmotw

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      tmp000013a4

    • Size

      1.4MB

    • MD5

      afe158e0cfaf6edb69a6b10d93e9693c

    • SHA1

      78ddfd4b6e756485e15f9b6e4c41716eb081595e

    • SHA256

      8485e51729ce9952159219b3576df7745a1254f655beb91c05fd53143250ee5f

    • SHA512

      0d1712d772534ce7bae6ce18726db1883ec9756f30f0d7978dcd405983bbf6d3dbd9905058ccff389eea691cb8497fc89cd4b86f7706b9ec1c4c809b93a8ea2a

    • SSDEEP

      24576:6tb20pkaCqT5TBWgNQ7a49nbTHCTNdSM3E479ghMzwfA87rL/UyHuK6A:nVg5tQ7a4dbT+YMU64MSh7rL/UyH95

    Score
    10/10
    agenttesladiscoverykeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral2

MITRE ATT&CK Enterprise v15

Tasks