Overview

overview

10

Static

static

3

c593f0f725...3e.exe

windows7-x64

10

c593f0f725...3e.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c593f0f725697c983674b57afbf1d63c47acb105e9942a40f8586ce8c890293e.exe

  • Size

    370KB

  • Sample

    240705-b77sgszbmr

  • MD5

    250631853c7cf62a4a3cc683017e2be4

  • SHA1

    588c3f2836b60acd1401e1ac4789fde1a8f6320a

  • SHA256

    c593f0f725697c983674b57afbf1d63c47acb105e9942a40f8586ce8c890293e

  • SHA512

    5f6a0d4fe0ab138c67c9b58970df616267a08457a6bca896dde6de22b6ff815114d3c1ae5e7bef2dcc3e101412f6c3c95fcc14fdf442e90a98ed039259563592

  • SSDEEP

    6144:ZsKxNX1AZr4pmt/DjcT3VMgEWM9GBSZm7QgypKKq16SgFMsNjUIoZP4tq:JWZr4pmtbjcT3ygKGBSTRq16TVLoatq

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      c593f0f725697c983674b57afbf1d63c47acb105e9942a40f8586ce8c890293e.exe

    • Size

      370KB

    • MD5

      250631853c7cf62a4a3cc683017e2be4

    • SHA1

      588c3f2836b60acd1401e1ac4789fde1a8f6320a

    • SHA256

      c593f0f725697c983674b57afbf1d63c47acb105e9942a40f8586ce8c890293e

    • SHA512

      5f6a0d4fe0ab138c67c9b58970df616267a08457a6bca896dde6de22b6ff815114d3c1ae5e7bef2dcc3e101412f6c3c95fcc14fdf442e90a98ed039259563592

    • SSDEEP

      6144:ZsKxNX1AZr4pmt/DjcT3VMgEWM9GBSZm7QgypKKq16SgFMsNjUIoZP4tq:JWZr4pmtbjcT3ygKGBSTRq16TVLoatq

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      883eff06ac96966270731e4e22817e11

    • SHA1

      523c87c98236cbc04430e87ec19b977595092ac8

    • SHA256

      44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

    • SHA512

      60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

    • SSDEEP

      96:UPDYcJ+nx4vVp76JX7zBlkCg21Fxz4THxtrqw1at0JgwLEjo+OB3yUVCdl/wNj+l:UPtkuWJX7zB3kGwfy0nyUVsxCjOMb1u

    Score
    3/10
    behavioral3behavioral4

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      8d4278d0b0af44c989ed14ea40b75e06

    • SHA1

      072f92761b281bc20d0bc3b3486251f60e6c259f

    • SHA256

      9c50ba10ff8009137ad005aee7bdcace042ff343b37e11cd6ca45a6186ae977e

    • SHA512

      1a22c3aa8ea1ff980b5c7812f75a9369cfd74f2b780039e79c0c52eb00cb019bac6f860e97a7279f0c8e4c890e5dd1bca31e69d6548fc73397d4fa05c8b12542

    • SSDEEP

      96:N7GUaYNwCLuGFctpiKFlYJ8hH4RVHpwdEeY3kRlDr6dMqqyVgNw38:xygp3FcHi0xhYMR8dMqJVgN

    Score
    3/10
    behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks