Overview

overview

10

Static

static

5

Materials_...8W.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7452fd1d5500f817c13b905aca8bbaa62e10177c8c73cc19e9e1efdd9f8705bc

  • Size

    1.1MB

  • Sample

    250404-dz1ejsyxfy

  • MD5

    069abd493248b3d71511a366fc619bbd

  • SHA1

    1ce8908748ace9685ff80847784e6dced4abc2e6

  • SHA256

    7452fd1d5500f817c13b905aca8bbaa62e10177c8c73cc19e9e1efdd9f8705bc

  • SHA512

    d26184890dc4f908417600896cfff531f0443501c80062d6a340f45f90d470eba9706d6af07da158add9db9b095ea6e11c9481a82fde18a8542b6ecefbf5d95e

  • SSDEEP

    24576:gRqR5hCkS3I/oP0FI5GnkdkNdayrOxjPuJQJHhIjvPsNp/fR60ny5biwA:VRT/op5GI2OxjWJQVCLF0ny1iwA

Score
10/10
agentteslaredlinesuccessdiscoveryinfostealerkeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.dkplus.com.tr
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    04rf710m29

Extracted

Family

redline

Botnet

success

C2

204.10.161.147:7082

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      Materials_Technical_Details_Order_BD298_N78W.exe

    • Size

      1.6MB

    • MD5

      f664590d422d04b09a429b5cccd3e43b

    • SHA1

      13bbba67e66f84ed51cf58f921e99c0409cb08fd

    • SHA256

      ccca9a72aa09a05d727e82e02dfd145f71e5c48e09b4b77c35995ca8ef162fb4

    • SHA512

      0489adf9e6f44dfbb2a86e366fb184410844fc6a6fcc7f82637cb3407904e3b831728699d170a5c4efd65a44f84818d36e0c6573a2a54ba6a839052cecb23ee6

    • SSDEEP

      49152:bu0c++OCvkGs9Fax9hsuaRaV5Db0uk+EmZN/srY:aB3vkJ9q1EiXGr

    Score
    10/10
    agentteslaredlinesuccessdiscoveryinfostealerkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • Drops startup file

    • Executes dropped EXE

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks