Overview

overview

10

Static

static

5

e-dekont.exe

windows7-x64

10

e-dekont.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a65d5446560fdb518354b5de00172b944c1cb57291ed61ab039e84dd50755050

  • Size

    822KB

  • Sample

    250329-h4nzja1jy7

  • MD5

    216698b41a42a2486cafa64eb1d6d154

  • SHA1

    d3b062a34df3c90f9c96a9cc31ade19c9bd40612

  • SHA256

    a65d5446560fdb518354b5de00172b944c1cb57291ed61ab039e84dd50755050

  • SHA512

    5564c93b0502c2df03c0d0c7b0b3367cafdbca9752b0016239aa197c7e647f2624358555e6eb30dbb9c60f7fce3944b1114b1e5b4885e1750127e2cdbb76cb39

  • SSDEEP

    24576:juApeRtxCwU3A6FKsLFvKOS0OYatq9O3F97:aVRB6qOeNX

Score
10/10
agentteslaredlinesuccessdiscoveryinfostealerkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

success

C2

204.10.161.147:7082

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.dkplus.com.tr
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    04rf710m29

Targets

    • Target

      e-dekont.exe

    • Size

      1.3MB

    • MD5

      87c252fb664a71af9b62da1a7661d2e9

    • SHA1

      a6df180a2d267faf3d7c08ca9b218ac9008f27ed

    • SHA256

      a48800d7b18541d4375e24bfede8beb941e55bc2c5d996553425bc3c52c0f0a9

    • SHA512

      ec9403c0c64513210957317b93c4d79d034f8d0dd7eb64c315d8e82d1e97892d6c20e4e024b480cfd1cad1ffd9fa7a2e3daf030103755361729a1c3152be270e

    • SSDEEP

      24576:hu6J33O0c+JY5UZ+XC0kGso6FazOiI8GE7zFP6W2BjjnW2ckPWY:zu0c++OCvkGs9FazjnP6h5jWxY

    Score
    10/10
    agentteslaredlinesuccessdiscoveryinfostealerkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks