Overview

overview

10

Static

static

9ee7860970...f5.exe

windows7_x64

10

9ee7860970...f5.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9ee7860970dda59e4eb23bb9bb010bf5.exe

  • Size

    36KB

  • Sample

    210419-kzff21kjyn

  • MD5

    9ee7860970dda59e4eb23bb9bb010bf5

  • SHA1

    5bb2807519c91309121d91c019575c18f8b83b2d

  • SHA256

    a31924a3f39126f3f253c75ea5b787a4756b885828916ff5bd5b1c9ca9b95c59

  • SHA512

    6dcfaa4e3b8457987b7750f0e31cb917af2d355eee7e343333c14b6ba8d12d31db17e7d4dd5809e5d168d3c715fdb70b38ddcc96d6050742b68c9cb68fc4a055

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.orienttech.com.qa
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Op{^fLb9gN[!

Targets

    • Target

      9ee7860970dda59e4eb23bb9bb010bf5.exe

    • Size

      36KB

    • MD5

      9ee7860970dda59e4eb23bb9bb010bf5

    • SHA1

      5bb2807519c91309121d91c019575c18f8b83b2d

    • SHA256

      a31924a3f39126f3f253c75ea5b787a4756b885828916ff5bd5b1c9ca9b95c59

    • SHA512

      6dcfaa4e3b8457987b7750f0e31cb917af2d355eee7e343333c14b6ba8d12d31db17e7d4dd5809e5d168d3c715fdb70b38ddcc96d6050742b68c9cb68fc4a055

    Score
    10/10
    agentteslakeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Tasks