Overview

overview

10

Static

static

INVOICES..exe

windows7_x64

10

INVOICES..exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    INVOICES..exe

  • Size

    1.0MB

  • Sample

    210421-49pazze24x

  • MD5

    8f71df24690c4f0c8f652f19486c808c

  • SHA1

    522068a4258cc4d502e6e6401bbc6dbb0e1eafa7

  • SHA256

    ab6dc10bd96deb553f6020091e37aaff85d25a729636a5be616b1bcc5b6fdb1b

  • SHA512

    623e4129266af806b8d450395c07d5cd0941876eebb2dd3f63cef53a8695991ec8633428f881c0422f52b10ec0d8ea890decabdf624ec6df6a93e4aae148d1f2

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.lallyautomobiles.net
  • Port:
    587
  • Username:
    servicekrl@lallyautomobiles.net
  • Password:
    Welcome@2021

Targets

    • Target

      INVOICES..exe

    • Size

      1.0MB

    • MD5

      8f71df24690c4f0c8f652f19486c808c

    • SHA1

      522068a4258cc4d502e6e6401bbc6dbb0e1eafa7

    • SHA256

      ab6dc10bd96deb553f6020091e37aaff85d25a729636a5be616b1bcc5b6fdb1b

    • SHA512

      623e4129266af806b8d450395c07d5cd0941876eebb2dd3f63cef53a8695991ec8633428f881c0422f52b10ec0d8ea890decabdf624ec6df6a93e4aae148d1f2

    Score
    10/10
    agentteslakeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Drops file in Drivers directory

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Tasks