Overview

overview

10

Static

static

3

MACHINE QUOTATION.exe

windows7-x64

10

MACHINE QUOTATION.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1c5504c4654c83bc512b90f21ea3df73d904949208ee2f3fae27c786a4ac1be1

  • Size

    738KB

  • Sample

    250128-kwszmatmgw

  • MD5

    4db41d57c2937c7ba85cbb8322ae74c3

  • SHA1

    78ade6a8530772875f46d482fc868d20701f1149

  • SHA256

    1c5504c4654c83bc512b90f21ea3df73d904949208ee2f3fae27c786a4ac1be1

  • SHA512

    6dd4bd8913c6155bdfbc5f3780aa2566888a80d4e8a0995e2ae71e7c9e937917586a8cbc0989d206aca26422fe4407566591930553fc3fa55e452d0e2a5f0407

  • SSDEEP

    12288:zWawkzG7Zow1Gqfu8yqcrkcjiKvKi4XITPr4YtGOxhrnBGVUUOLnpek+nj/ZK1KQ:zp01Gq28KrHi2XD7VXnsinpx+nkwQ

Score
10/10
agenttesladiscoverykeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.ercolina-usa.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    nXe0M~WkW&nJ

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.ercolina-usa.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    nXe0M~WkW&nJ

Targets

    • Target

      MACHINE QUOTATION.exe

    • Size

      883KB

    • MD5

      edf8a8b0595ac38ea30e56220fc85e3b

    • SHA1

      0bbc5848fb984c113f862aeb2198743b3591ddf1

    • SHA256

      737981c73007c1fd4dc3cf2d9a5c79cb004fe48bdf3cba06b4ead50b3a57af13

    • SHA512

      922e1e0633d5256a4064fc0fc459287c8eea16928bd21eaa92fadf3562f672b6844b7d35b475d2f3f9201b9e00fa088b80f465358d427f377518e7f517aaa8de

    • SSDEEP

      24576:O0f6kUfP9ChNtxCNR7g7kiJ24kpjjY3X3N:OqXUXwhNtEPIvJDkpjcH3N

    Score
    10/10
    agenttesladiscoverykeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks