Overview

overview

10

Static

static

1

Product Sp...ns.exe

windows7-x64

3

Product Sp...ns.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    abdb109330b20d81a4899ca3d4ede5b29f4d124ba4e79eb3f66365ba4e39792c

  • Size

    1.4MB

  • Sample

    250122-pw69gaxnhj

  • MD5

    5265093b1b1e2bddfe079079b21abdd9

  • SHA1

    fcbdabd0e6747cc983ded1df9aad152c3fbbcbd2

  • SHA256

    abdb109330b20d81a4899ca3d4ede5b29f4d124ba4e79eb3f66365ba4e39792c

  • SHA512

    dd06f808847681c215002b9b13be1570687657210f711498347e00a61828f1448aece7c0d173a46fd0b45b2ddd350f5f08697e8fcd8ba2eeed2137888a762e14

  • SSDEEP

    24576:CFBg3QPvp3CPEiOpEs3WuzV5u5ynfcTN8wWfSs3TkKZVm4wgdPU39p4Dqz7:Yg3AEEi2EsGuz9fM8weSs5ZVLc37/7

Score
10/10
agenttesladiscoverykeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    s4.serv00.com
  • Port:
    21
  • Username:
    f2243_abo
  • Password:
    Realak27@

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://s4.serv00.com
  • Port:
    21
  • Username:
    f2243_abo
  • Password:
    Realak27@

Targets

    • Target

      Product Specifications/Product Specifications.exe

    • Size

      2.3MB

    • MD5

      fb929fe9b83e868c4a76ce7a4da545cf

    • SHA1

      4d6a23429448d04719380e9d8d338d63c0a12cbc

    • SHA256

      8a63484cae4be6193f37830c47aa2ae720f3dcf1b03dd649bc2c3016ab8e45fa

    • SHA512

      c571f8e62753a9d30cc592aed03233400f9cdd24f3f16a0e11c46de6aa82bc6378124f4066a9a7e9a282c84a90542ab2b2358813386d5e25a8c91bc0fe04a9c0

    • SSDEEP

      49152:iwGJabp7lks1vkcwZ+99T2tbf9ShrsGQ5F/RzVzYYwWSslZNpEZVp:idh0aSsvN2v

    Score
    10/10
    discoveryagentteslakeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks