Overview

overview

10

Static

static

3

1af10fb30a...fc.exe

windows7-x64

10

1af10fb30a...fc.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1af10fb30ad2ab965d77ba07ee1251ed8807cb468e8d8f5e4d63637f546c8afc

  • Size

    736KB

  • Sample

    250125-bj8pwayrhm

  • MD5

    a170fa9d0d0380c62202a17b02e906c2

  • SHA1

    19147aa921aa7846cb4e7d21b14486897e5d618a

  • SHA256

    1af10fb30ad2ab965d77ba07ee1251ed8807cb468e8d8f5e4d63637f546c8afc

  • SHA512

    8281fefbd7af257aa9819546c17fb90b015937165a7e7c0d0fc541f701b4fa3639cd0a4df8c62c51efd6537e392a5a363fb2cd2db3a55a3e563cb2135e56281c

  • SSDEEP

    12288:/Gwcr1EOGQyypkxbnZfvRWFybdc1l2X8v5dGrOywiVMRG7:/UbpcdHRgMdcX2MvTGg48y

Score
10/10
agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.epaindemgroup.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    1opilJee

Targets

    • Target

      1af10fb30ad2ab965d77ba07ee1251ed8807cb468e8d8f5e4d63637f546c8afc

    • Size

      736KB

    • MD5

      a170fa9d0d0380c62202a17b02e906c2

    • SHA1

      19147aa921aa7846cb4e7d21b14486897e5d618a

    • SHA256

      1af10fb30ad2ab965d77ba07ee1251ed8807cb468e8d8f5e4d63637f546c8afc

    • SHA512

      8281fefbd7af257aa9819546c17fb90b015937165a7e7c0d0fc541f701b4fa3639cd0a4df8c62c51efd6537e392a5a363fb2cd2db3a55a3e563cb2135e56281c

    • SSDEEP

      12288:/Gwcr1EOGQyypkxbnZfvRWFybdc1l2X8v5dGrOywiVMRG7:/UbpcdHRgMdcX2MvTGg48y

    Score
    10/10
    agenttesladiscoverykeyloggerspywarestealertrojancollectioncredential_access

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • AgentTesla payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks