Overview

overview

10

Static

static

1

Product-QT...TY.scr

windows7-x64

3

Product-QT...TY.scr

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b62c9088b355e9c7c628077fae73cb25e201b34eba1bc0367a6959b8e09fbbc8

  • Size

    1.3MB

  • Sample

    250121-r2vhzayqhj

  • MD5

    8d0f93120d3c3ad8c02f787e22fd55b1

  • SHA1

    8f259c0ec77080cc631f08abcb69b13ae1f8759e

  • SHA256

    b62c9088b355e9c7c628077fae73cb25e201b34eba1bc0367a6959b8e09fbbc8

  • SHA512

    bbc7e3cc076bb1702d1aba0a5dbfbe3539586c8b31eb8c0110408b7424c3b3a2b08e207d6de1db2ae3b90dbaff0a6dc5a350adda1253c3102f14844ada3a24aa

  • SSDEEP

    24576:2yuZtkvocDWTpF9h7O5Ryuma3j5CP4DLn7c2+isCbXusbot5sZ6B1d7BqLuVGG84:QTeDWFHM5Rqa3j5CPzIX5fZ6B1cukG84

Score
10/10
agenttesladiscoverykeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    s4.serv00.com
  • Port:
    21
  • Username:
    f2241_dos
  • Password:
    Doll900@@

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://s4.serv00.com
  • Port:
    21
  • Username:
    f2241_dos
  • Password:
    Doll900@@

Targets

    • Target

      Product-QTY/Product-QTY.scr

    • Size

      1.9MB

    • MD5

      1fb48048a9a0082b479edbcb74582e17

    • SHA1

      a81a6b5ae987b61a0a673185079890ab97d1267d

    • SHA256

      8cf57cb74dda7f2e0eee293f7f4aed335ccfc7425500634c3775556dd46a6963

    • SHA512

      5b13f218de6951969b1c13322e6d2bb474b5030a81e946f7ca7e4017ec7e06174c1544659ae55214d01add7fbe15dea1cc44463abb8bca438750f2f18084294a

    • SSDEEP

      49152:sntWDI3JI53q23h5uXhKXHzlWR1K9BaFFU:stWDI3Jc6A5uXcBWRzF

    Score
    10/10
    discoveryagentteslakeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks