Overview

overview

10

Static

static

Quotation order.exe

windows7_x64

10

Quotation order.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Quotation order.exe

  • Size

    9.7MB

  • Sample

    201205-svzzrbbcts

  • MD5

    fec94c3fe9cead7cbe7a1d627eedd841

  • SHA1

    edbf4df6ea9509e000e3c964be99374e94545a3a

  • SHA256

    aca79c29fda3bfb7e34038dc5a9a31d05ed1aba543328367478ef21540555da7

  • SHA512

    3a5ffccf84f27ebc5cad4415a561d4678fc9e28c4c08e58d9d87e1f216d080ced1e06230e607e3efa8d1ded5b7a8ad6d0d7942a54c1d82387d7782e40b46377c

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    astonecargosafety@gmail.com
  • Password:
    Best242Best

Targets

    • Target

      Quotation order.exe

    • Size

      9.7MB

    • MD5

      fec94c3fe9cead7cbe7a1d627eedd841

    • SHA1

      edbf4df6ea9509e000e3c964be99374e94545a3a

    • SHA256

      aca79c29fda3bfb7e34038dc5a9a31d05ed1aba543328367478ef21540555da7

    • SHA512

      3a5ffccf84f27ebc5cad4415a561d4678fc9e28c4c08e58d9d87e1f216d080ced1e06230e607e3efa8d1ded5b7a8ad6d0d7942a54c1d82387d7782e40b46377c

    Score
    10/10
    agentteslakeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Modifies WinLogon for persistence

      persistence

    • AgentTesla Payload

    • Drops startup file

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spyware

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spyware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Tasks