Overview

overview

10

Static

static

3

PO.exe

windows7-x64

10

PO.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4c87baef6850203e490e688b78e07d764e2ad978676667ecb6fd07efdb579567

  • Size

    1.2MB

  • Sample

    250222-bqxwyswrz2

  • MD5

    07d9f281902b2343548260ad83dabff1

  • SHA1

    b2dec4cf79eec3d31abe9289b824f802e2f6c273

  • SHA256

    4c87baef6850203e490e688b78e07d764e2ad978676667ecb6fd07efdb579567

  • SHA512

    36ab323cdf2fce0e27f1166f593370a095c072b7829cc26d5c4684d7e88d1d1946aeccf1eb9b9c20a9b2dd46ba8362bde0d300474dd57944c23871e07751654c

  • SSDEEP

    24576:h36rrVVY0bpWTr0AK88jEHJpqzUZngQJsa+:h3ybpGgkppqz+OX

Score
10/10
agentteslaguloaderdiscoverydownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.concaribe.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    ro}UWgz#!38E

Targets

    • Target

      PO.bat

    • Size

      702KB

    • MD5

      0d35c3156b03e29ad07d6cf268c394a8

    • SHA1

      446e9ccdb3a54abeaac38e088352b18f09640f03

    • SHA256

      e37762c1624d0c77270d82c7e305e09aa32a3e20f017c0f4205ecac150910c29

    • SHA512

      3e68842c306509ec4ec1c49afa84bae9d0f62b924a777a2e09b6af1381c4af9b90597b212851693a58819b38439898533c73ea14fafdae11b2d146e217bc2279

    • SSDEEP

      12288:/36reEVVY0bT1WP7r0AK8XsjMrNHJpqzERZndvK7QJskkf9B9epdk9fVO:/36rrVVY0bpWTr0AK88jEHJpqzUZngQr

    Score
    10/10
    agentteslaguloaderdiscoverydownloaderkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • Guloader family

      guloader

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      6e55a6e7c3fdbd244042eb15cb1ec739

    • SHA1

      070ea80e2192abc42f358d47b276990b5fa285a9

    • SHA256

      acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506

    • SHA512

      2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

    • SSDEEP

      192:MenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XBaIwL:M8+Qlt70Fj/lQRY/9VjjgL

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks