Overview

overview

10

Static

static

3

QUOTATION#00439.exe

windows7-x64

10

QUOTATION#00439.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    cd33d31a9816f7f440815d04335a4635539ee94a238968c594a1af85b08f9d0d

  • Size

    798KB

  • Sample

    250125-kpp96awrem

  • MD5

    9a1af5327c1f3a4e960aca3bb999a4ca

  • SHA1

    1c7e36e5734c5a57e8168140b6616df5f339a2f4

  • SHA256

    cd33d31a9816f7f440815d04335a4635539ee94a238968c594a1af85b08f9d0d

  • SHA512

    0f261358c6c859cda54c07ae9b203b7c43ce1d854aa1ab6239af1eee6931c676765f9f2a785cf3c41bdedc01de404bb0ce85bdce347951ce30cb50ec4ad07d3a

  • SSDEEP

    24576:NgFshk+z/GCHJUy7RJWQMfTpl/Rh+xZinn:NgFJ5CpVRDSRRh+xZin

Score
10/10
agenttesladiscoveryexecutionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.ercolina-usa.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    nXe0M~WkW&nJ

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.ercolina-usa.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    nXe0M~WkW&nJ

Targets

    • Target

      QUOTATION#00439.exe

    • Size

      902KB

    • MD5

      e9462162ef8333e2452c5fa0f767d397

    • SHA1

      169162aa4ac1764e051f1444bf22313e527eb5a0

    • SHA256

      609bc44c18519741abb62259b700403e05cc0fd57b972ef68ca6ae8194d27f2a

    • SHA512

      9f86b523a8851c42dd428b0038ccfd592d3d726b3485cdbc8805bb307142f313212168be356bcf0bc6bdb8f7242df8d5a08e287fbc5ccf3553a409427dbd6e8f

    • SSDEEP

      24576:KWv3tv3GuXDFa/Q56oFiUrGJq5o5R3X3N:5vNTeQ56oL4CeH3N

    Score
    10/10
    agenttesladiscoveryexecutionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

4
T1005

Command and Control

Exfiltration

Impact

Tasks