Overview

overview

10

Static

static

Orders.exe

windows7_x64

10

Orders.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Orders.mn.zip

  • Size

    13KB

  • Sample

    210419-nhbfa5gt6a

  • MD5

    fbbad25e8d851e2d3ab09ba868c5d190

  • SHA1

    16ebde8f93a5c9372e3a519f880dbc27d821e19f

  • SHA256

    99fb89b43071f1c2b60514298ac2f28c27de776ea1bc0a2956304d83481daa81

  • SHA512

    48e198375904e9abdf0f2b19d774c4069b48c15bff827e92fa084200846d627e105ad4fc3897481be22aefcaba2e2356d599898da910a4f11ea0893c1a34fb35

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.jumatsedekah.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    YV1i#[N*@-6-

Targets

    • Target

      Orders.exe

    • Size

      23KB

    • MD5

      74f25f624f40c12bf270ec8c79c042af

    • SHA1

      2a44961bc6099b553258adda6b0c5e7871f8069a

    • SHA256

      07ec2c9cdd71be2769952cb169ec7db7625ba8790d95cf3d977b9544d8efbcf9

    • SHA512

      272a813a369f38db8ec1580d86181b809ef67628f5c6e44d078f9f45d7dbc4f19e5b7b64e29497621e29ef2c06b0950f0bab364d8177ea8d71dfa74b632a8eab

    Score
    10/10
    agentteslakeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Tasks