Overview

overview

10

Static

static

3

MACHINE QU...ON.exe

windows10-2004-x64

10

MACHINE QU...il.dll

windows7-x64

10

MACHINE QU...il.dll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    908bd3cae1a5660edb6221b5fd0e82a6635bd879c232ac2989368422a06f599a

  • Size

    5.0MB

  • Sample

    250123-bm7a8avmez

  • MD5

    7da1328a090bdb56ac83609bebea95a3

  • SHA1

    179767c5809c2076b4fb83b39de496a846a68470

  • SHA256

    908bd3cae1a5660edb6221b5fd0e82a6635bd879c232ac2989368422a06f599a

  • SHA512

    894739fed47d853fa22fcd7ff1f80032dbbe0990706d1806290b76391b5914bd794dd19dfa62f0d46d97827ae726bf19f3a755a073ff7c63ba8cc4088f8772d3

  • SSDEEP

    98304:2NKM1K9okjFRu+qTzf/T+fI9pW1fKIliydJePcpNrXJG1mqnIrKLfHHsR3VjZKU0:oKM9kbu+MDKwy1yIliAsarXJG/0PFjUN

Score
10/10
agenttesladiscoverykeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.ercolina-usa.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    nXe0M~WkW&nJ

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.ercolina-usa.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    nXe0M~WkW&nJ

Targets

    • Target

      MACHINE QUOTATION/MACHINE QUOTATION.exe

    • Size

      192KB

    • MD5

      93c7b66d77406f6b64507631a24bc140

    • SHA1

      ad6c3790c982c6f5cf0fc34a0ff9d2098d7df8b5

    • SHA256

      95687da203507a11837eaeb29bfe86481828b74b62fc869604b5eaa552f950c2

    • SHA512

      5b9d4d085d84ff215c70e49cb7d15c1d512996fe48b711d54a2553cb80581e6e6031b47f775fb3c2bede18e33a1803f25e0cf7eca127f3d205130e8194a55fba

    • SSDEEP

      3072:MGEIeLWnY8Ism+CE1UwI1tUh8MMtpDAyWHSq3BJW:NEI/nHCE1YtU+l7sfB

    Score
    10/10
    agenttesladiscoverykeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      MACHINE QUOTATION/tedutil.dll

    • Size

      14.1MB

    • MD5

      f5d36baa964bd1f219483fbd39013d97

    • SHA1

      09d2ba088ce0982a09f59615cd4622ff83055a8d

    • SHA256

      290a36d8428ef6694919b9aeb575003cb1ed58a80b716bb270a578b37ff15926

    • SHA512

      993696e0f0f41aae0c171b09065f997a010583d90cef439e836811bd546a5a412043d67059d9c5dec635bfb6d1e6af7b748f076481600b21b253342a6a985248

    • SSDEEP

      196608:R4ySSA0Y+7qPljTEp6vrO3KKJdEh0G1GPB1xbVr6H:KySSA0P7qPlC6Ph3I51nW

    Score
    10/10
    agenttesladiscoverykeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral2behavioral3

MITRE ATT&CK Enterprise v15

Tasks