Overview

overview

10

Static

static

3

004552024107.bat.exe

windows7-x64

10

004552024107.bat.exe

windows10-2004-x64

10

$PLUGINSDI...ge.dll

windows7-x64

1

$PLUGINSDI...ge.dll

windows10-2004-x64

1

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...fo.dll

windows7-x64

3

$PLUGINSDI...fo.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    004552024107.bat.exe

  • Size

    497KB

  • Sample

    240701-lz3hxavdrd

  • MD5

    610c22dff8f1f7d12746e879be25d778

  • SHA1

    158ec97fd4604350430ceeeac61f15f386094e9f

  • SHA256

    72553f4f7953a79115252ea22d00ed3aae235f637ce2e44d531b36af06d9b6cf

  • SHA512

    b6864d1d0479aa9b9d2689519a5f84d7a889e1c21e95dd30edc49235b7873740a92ff5f0ba8a650882e7fa9c1767a7238b63e50f2c9510d5384312f895443fcd

  • SSDEEP

    12288:c19+dlfwYKZWeg6GVH9v7YtI1CWQeUM6WYaCgIwRMaoGiPF:PdloYK7g6GVN7WyUMvIwRgGQ

Score
10/10
agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://mail.hearing-vision.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    LILKOOLL14!

Targets

    • Target

      004552024107.bat.exe

    • Size

      497KB

    • MD5

      610c22dff8f1f7d12746e879be25d778

    • SHA1

      158ec97fd4604350430ceeeac61f15f386094e9f

    • SHA256

      72553f4f7953a79115252ea22d00ed3aae235f637ce2e44d531b36af06d9b6cf

    • SHA512

      b6864d1d0479aa9b9d2689519a5f84d7a889e1c21e95dd30edc49235b7873740a92ff5f0ba8a650882e7fa9c1767a7238b63e50f2c9510d5384312f895443fcd

    • SSDEEP

      12288:c19+dlfwYKZWeg6GVH9v7YtI1CWQeUM6WYaCgIwRMaoGiPF:PdloYK7g6GVN7WyUMvIwRgGQ

    Score
    10/10
    agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/BgImage.dll

    • Size

      7KB

    • MD5

      2d5f40ddc34e9dc8f43b5bf1f61301e3

    • SHA1

      5ed3cd47affc4d55750e738581fce2b40158c825

    • SHA256

      785944e57e8e4971f46f84a07d82dee2ab4e14a68543d83bfe7be7d5cda83143

    • SHA512

      605cebcc480cb71ba8241782d89e030a5c01e1359accbde174cb6bdaf249167347ecb06e3781cb9b1cc4b465cef95f1663f0d9766ed84ebade87aa3970765b3e

    • SSDEEP

      96:8eQMA6z4f7TI20Y1wircawlkX1b3+LDfbAJ8uLzqkLnLiEQjJ3KxkP:tChfHv08wocw3+e8uLmyLpmP

    Score
    1/10
    behavioral3behavioral4

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      12b140583e3273ee1f65016becea58c4

    • SHA1

      92df24d11797fefd2e1f8d29be9dfd67c56c1ada

    • SHA256

      014f1dfeb842cf7265a3644bc6903c592abe9049bfc7396829172d3d72c4d042

    • SHA512

      49ffdfa1941361430b6acb3555fd3aa05e4120f28cbdf7ceaa2af5937d0b8cccd84471cf63f06f97cf203b4aa20f226bdad082e9421b8e6b62ab6e1e9fc1e68a

    • SSDEEP

      192:gFiQJ77pJp17C8F1A5xjGNxrgFOgb7lrT/nC93:E7pJp48F2exrg5F/C

    Score
    3/10
    behavioral5behavioral6

    • Target

      $PLUGINSDIR/UserInfo.dll

    • Size

      4KB

    • MD5

      90228dd140188ec0ca02f7f52e4c9a30

    • SHA1

      6880d9aeec4c97c4b7718044c9c59b92379feaca

    • SHA256

      54bcf3d018734b884bd33a74a05eea0ac3c83501acbdb71ea8ec56ec9402a263

    • SHA512

      1a38b1ebb9e2440dd240c8cd2406261e21b544ed392f808d36f78590075f854d89e624589bfddabcace96b33a7f3084c7686351bd66ae07ec035bbef94ef8da2

    Score
    3/10
    behavioral7behavioral8

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      4a2f4fe4a3ad1de56ee6bf7dd4923963

    • SHA1

      7cc68b94448c964fd99904e5784b059aed4d5daa

    • SHA256

      89b1e6509a1b45b32933e9d785a9c8c5b9ce7c616e1112dcf7fc3fa5ca27ebde

    • SHA512

      4b6bbe75beafae9a29932ff5ddd3940aadfae62c157836e6cdab755955782dd5354d5eb389b4b8c16bf59f4ce7a099a0161d915c1cf2968f28e195dc8e3997ea

    • SSDEEP

      96:z0OBtYZKtPsrqBApt1JHpb9XWk7Qe06iE6mE6YNFyVOHd0+uPHwEX:4tZKtrAJJJbP7iEHEbN8Ved0Ph

    Score
    3/10
    behavioral10behavioral9

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

4
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks