Overview

overview

10

Static

static

3

004552024107.bat.exe

windows7-x64

10

004552024107.bat.exe

windows10-2004-x64

10

$PLUGINSDI...ge.dll

windows7-x64

1

$PLUGINSDI...ge.dll

windows10-2004-x64

1

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...fo.dll

windows7-x64

3

$PLUGINSDI...fo.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    004552024107.bat.exe

  • Size

    518KB

  • Sample

    240701-lzgw7svdpb

  • MD5

    2d40c2aefef620e7fb177f0cf24d8ea5

  • SHA1

    d4b00320d6be1ecac0fc016f1ad85a9774c14f47

  • SHA256

    576421830912fcb3f31f2721cb30607a7c07887a1558a80b626e0d9527467399

  • SHA512

    64e27276ffd6c44ac9572f0aed7367a004b8ee83e528518c607a39934329f54fac797b7c45e0dcc6c25c64b11fcb8b2f1ad21078ed4e3714ac61c0ba1e17fc70

  • SSDEEP

    12288:c19+dlfwYKZWegejzeusXEBS/PKPU6E0nn7+nJiPP:PdloYK7geveN0fPRnqnJi

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://mail.hearing-vision.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    LILKOOLL14!

Targets

    • Target

      004552024107.bat.exe

    • Size

      518KB

    • MD5

      2d40c2aefef620e7fb177f0cf24d8ea5

    • SHA1

      d4b00320d6be1ecac0fc016f1ad85a9774c14f47

    • SHA256

      576421830912fcb3f31f2721cb30607a7c07887a1558a80b626e0d9527467399

    • SHA512

      64e27276ffd6c44ac9572f0aed7367a004b8ee83e528518c607a39934329f54fac797b7c45e0dcc6c25c64b11fcb8b2f1ad21078ed4e3714ac61c0ba1e17fc70

    • SSDEEP

      12288:c19+dlfwYKZWegejzeusXEBS/PKPU6E0nn7+nJiPP:PdloYK7geveN0fPRnqnJi

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/BgImage.dll

    • Size

      7KB

    • MD5

      2d5f40ddc34e9dc8f43b5bf1f61301e3

    • SHA1

      5ed3cd47affc4d55750e738581fce2b40158c825

    • SHA256

      785944e57e8e4971f46f84a07d82dee2ab4e14a68543d83bfe7be7d5cda83143

    • SHA512

      605cebcc480cb71ba8241782d89e030a5c01e1359accbde174cb6bdaf249167347ecb06e3781cb9b1cc4b465cef95f1663f0d9766ed84ebade87aa3970765b3e

    • SSDEEP

      96:8eQMA6z4f7TI20Y1wircawlkX1b3+LDfbAJ8uLzqkLnLiEQjJ3KxkP:tChfHv08wocw3+e8uLmyLpmP

    Score
    1/10
    behavioral3behavioral4

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      12b140583e3273ee1f65016becea58c4

    • SHA1

      92df24d11797fefd2e1f8d29be9dfd67c56c1ada

    • SHA256

      014f1dfeb842cf7265a3644bc6903c592abe9049bfc7396829172d3d72c4d042

    • SHA512

      49ffdfa1941361430b6acb3555fd3aa05e4120f28cbdf7ceaa2af5937d0b8cccd84471cf63f06f97cf203b4aa20f226bdad082e9421b8e6b62ab6e1e9fc1e68a

    • SSDEEP

      192:gFiQJ77pJp17C8F1A5xjGNxrgFOgb7lrT/nC93:E7pJp48F2exrg5F/C

    Score
    3/10
    behavioral5behavioral6

    • Target

      $PLUGINSDIR/UserInfo.dll

    • Size

      4KB

    • MD5

      90228dd140188ec0ca02f7f52e4c9a30

    • SHA1

      6880d9aeec4c97c4b7718044c9c59b92379feaca

    • SHA256

      54bcf3d018734b884bd33a74a05eea0ac3c83501acbdb71ea8ec56ec9402a263

    • SHA512

      1a38b1ebb9e2440dd240c8cd2406261e21b544ed392f808d36f78590075f854d89e624589bfddabcace96b33a7f3084c7686351bd66ae07ec035bbef94ef8da2

    Score
    3/10
    behavioral7behavioral8

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      4a2f4fe4a3ad1de56ee6bf7dd4923963

    • SHA1

      7cc68b94448c964fd99904e5784b059aed4d5daa

    • SHA256

      89b1e6509a1b45b32933e9d785a9c8c5b9ce7c616e1112dcf7fc3fa5ca27ebde

    • SHA512

      4b6bbe75beafae9a29932ff5ddd3940aadfae62c157836e6cdab755955782dd5354d5eb389b4b8c16bf59f4ce7a099a0161d915c1cf2968f28e195dc8e3997ea

    • SSDEEP

      96:z0OBtYZKtPsrqBApt1JHpb9XWk7Qe06iE6mE6YNFyVOHd0+uPHwEX:4tZKtrAJJJbP7iEHEbN8Ved0Ph

    Score
    3/10
    behavioral10behavioral9

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

4
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks