Derin Statik Analiz — AgentTesla | Tehdit: high

Archivo Kimligi

SHA25675ab1254bcb71bceafebf3297dcd931f991baf587a9690686b644407ea938468
MD55ce7c1223195b2f892fb86e6cfc3bb89
SHA1d86d6018d4bd3142a8d7c0e4c51d0c8c9c3695ea
Tamaño636821 byte
Tur/opt/ksentinel/samples/5a505f489d40c545ddacf31c16898cc85d6cf4bb308ff8448e24bcc74
DerlemeDesconocido
PackerUPX
C2 Adresi: Sifrelenmis/obfuskeli config (statik analizle cozulemedi)

Yetenekler

  • Tespit edilemedi (obfuskeli)

Gelistirici Ipuclari

PDB Yolu: bash: -c: line 1: syntax error near unexpected token `|' bash: -c: line 1: `grep -oiE '[A-Za-z]:\\Users\\[^\\]{2,30}\\[^

Telegram: @0ND1 @771I @8rEW @fgqS1 @ha11

PE Analizi

Binwalk / Packer

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             Zip archive data, encrypted compressed size: 63

Familia Tespiti

String kaniti bulunamadi (sifrelenmis/obfuskeli).

AgentTesla — Perfil del malware

AgentTesla .NET credential stealer. JS dropper @version 8.16.22. Sayısal obfuscation v6034. SMTP FTP HTTP C2.

Tipo de malware
Infostealer
Lenguaje de programación
.NET
Protocolo C2
SMTP/FTP
Sistemas objetivo
Windows
También conocido como (AKA)
Agent Tesla

Detalles técnicos

C#/.NET, SMTP/FTP/HTTP C2, GetAsyncKeyState keylogger, browser stealer (Chrome/Firefox/Edge), email client stealer, FTP stealer, VPN stealer, clipboard monitor, screenshot

Atribución / Actor de amenaza

Turkce konusulan gelistirici 'Turk Hack Team' ile iliskilendirilen ve Turkiye'den yonetildigi dusunulen platform. Pek cok farkli siber suc grubu musterisi bulunmaktadir.

Capacidades y comportamiento

Tarayıcı Kimlik Bilgileri
Çerez Hırsızlığı
Kripto Cüzdan Çalma
Sistem Bilgisi
Ekran Görüntüsü
FTP/SSH İstemci Şifreleri
E-posta İstemcisi Çalma
Veri Sızıntısı

Lista IOC (5 indicadores)

IOC — AgentTesla
# d86d6018d4bd3142a8d7c0e4c51d0c8c9c3695ea # SHA256 75ab1254bcb71bceafebf3297dcd931f991baf587a9690686b644407ea938468 # MD5 5ce7c1223195b2f892fb86e6cfc3bb89 # FILEPATH bash: -c: line 1: syntax error near unexpected token `|' # FILEPATH bash: -c: line 1: `grep -oiE '[A-Za-z]:\\[^\s\"'\'<>|*?]{5,150}' /tmp/all.txt | grep -viE '(msbuild|nuget|packages|Microsoft\.NET)' | sort -u | head -10'
TipoValorNota
d86d6018d4bd3142a8d7c0e4c51d0c8c9c3695ea
sha256 75ab1254bcb71bceafebf3297dcd931f991baf587a9690686b644407ea938468
md5 5ce7c1223195b2f892fb86e6cfc3bb89
filepath bash: -c: line 1: syntax error near unexpected token `|'
filepath bash: -c: line 1: `grep -oiE '[A-Za-z]:\\[^\s\"'\'<>|*?]{5,150}' /tmp/all.txt | grep -viE '(msbuild|nuget|packages|Microsoft\.NET)' | sort -u | head -10'

Servidores C2 (8 servidores registrados para esta familia)

Dirección Tipo Puerto Protocolo Estado País
digicert.com domain &mdash; TCP active &mdash;
stem.ru domain &mdash; TCP active &mdash;
digicert.com domain &mdash; TCP active &mdash;
dublincore.org domain &mdash; TCP active &mdash;
googleapis.com domain &mdash; TCP active &mdash;
microsoft.com domain &mdash; TCP active &mdash;
freightfacilitators.com domain &mdash; TCP active &mdash;
digicert.com domain &mdash; TCP active &mdash;

Las direcciones C2 se proporcionan únicamente a partir de muestras de malware verificadas manualmente por el equipo KEYDAL. Se prohíbe el uso comercial.

Etiquetas
agentteslastatik-analizhighc2iocpe