Overview

overview

10

Static

static

New PO.pdf.'.exe

windows7_x64

1

New PO.pdf.'.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    New PO.pdf.'.zip

  • Size

    572KB

  • Sample

    210419-8x8zjclqza

  • MD5

    30afa5ef47ad71f43a7eebece150be6d

  • SHA1

    0f04347968ad70cee88f7f30eef11ae239aaf65f

  • SHA256

    6d54d3e4524a80426dff0a58f81a3848a6134dff13b4fff65abda706ddb54c20

  • SHA512

    610ac2699c940f79d327222e34930c17974fcb1fe3faffc806e34eb9ed63dcf8fb08f25d7c5008b08fc26ea2e7f76c2603801ab0b34a553cd53282093f584e63

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.lallyautomobiles.net
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Welcome@2021

Targets

    • Target

      New PO.pdf.'.exe

    • Size

      829KB

    • MD5

      ea2f6afd43fe464c3b90f05762def390

    • SHA1

      cf20ecb582c6c6385860bc7a76a866a3f28c06aa

    • SHA256

      587de2149d6418990852b59fdb044911f6dd33f60bc6392fb2e93c8538b91453

    • SHA512

      409241a1f4e7f284055751881534a932eb23d27edd0779ee78b90b9cc666925a927a3851a37feca63773b1c72f0b1945e9dfc7259b9931066e4de8f1ecdccc60

    Score
    10/10
    agentteslakeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Drops file in Drivers directory

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Tasks