Overview

overview

10

Static

static

3

BL98229909...27.exe

windows10-2004-x64

10

BL98229909...27.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    23042025_0813_21042025_BL98229909101627.zip

  • Size

    913KB

  • Sample

    250423-j4xr4swkw5

  • MD5

    1e00a15fbe6f4f2b54e7b9ade88cf90b

  • SHA1

    52ce7eff5c819307934f9197e2928ce6c3659126

  • SHA256

    d4868faeec8e298ac1992d035f9a6a0993925c7f7804cb417d00721b75174c1f

  • SHA512

    10469b3c7134a060ff2d85c02d4c8d1f55e0db7a218bf863ac2d1c6843804415406bae7329c0bcd479fe4175abbf66cd4013bf64d0c0c55ded2562769f286589

  • SSDEEP

    24576:1MPyPcsT5aCyrDLXj2hcujV3SlpyfvAoZyTR/qNqPL:GPy5MCyDbj26uhS7MvD8TcNqD

Score
10/10
agenttesladiscoverykeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    s4.serv00.com
  • Port:
    21
  • Username:
    f2241_dod
  • Password:
    Ball900@@

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://s4.serv00.com
  • Port:
    21
  • Username:
    f2241_dod
  • Password:
    Ball900@@

Targets

    • Target

      BL98229909101627/BL98229909101627.exe

    • Size

      992KB

    • MD5

      70386ced8b009d28b70269b18ce2ca6c

    • SHA1

      0abadc4432da2cf489e3c9ad060b389e36feebed

    • SHA256

      049cc2d1388dba66dfeb9fa5de703c293b681641a855d13a8cc1490b9d64d8ce

    • SHA512

      f9921f3a72780a1f98f3b177b2f550c38030a0bd79702b826ddbc19972928869e024df7a8343dfa8132151047ad9a208412c5e091938c6afe45c85914d0d66b0

    • SSDEEP

      12288:NRWp2S/1kgdprUT1ErcaZJDNXuODvLahmke0MQoUd7NoSwYszfFvANoKVs5t:vWpH6a0yAGDNXD2hmgpxwYs5vAor5t

    Score
    10/10
    agenttesladiscoverykeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • Executes dropped EXE

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v16

Tasks