Overview

overview

10

Static

static

MV BEHTA R...on.exe

windows7_x64

10

MV BEHTA R...on.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    MV BEHTA Requisition.cab

  • Size

    365KB

  • Sample

    210421-ktjrnbv3sn

  • MD5

    f2363a8d8134d1ecaef3dd4be64eef7b

  • SHA1

    4963e889ee97b1e7f47c1dc154c7b6445c0162ac

  • SHA256

    adc3ccb9845024d523244f2ecd9a2e97e271ba310a07644393af3c2dce2e4920

  • SHA512

    f0376a74f06bd88934aea0173d2d19d8f64ece5dbae10479c3dc9a694a14fce6a9af0878aeba0865b1140c9c03fd7d653caea7b784cb3594faf1882104b28777

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.hyshippingcn.com
  • Port:
    587
  • Username:
    plogs112@hyshippingcn.com
  • Password:
    e*u@qkS4

Targets

    • Target

      MV BEHTA Requisition.exe

    • Size

      477KB

    • MD5

      0bbd4f88ffc0e2403dc677db55138705

    • SHA1

      96969cad9fb63258840273415b56524e7e0dd44e

    • SHA256

      4e03a6064d48718f91df9160b73f9a8cba2976bf516e6f97dc0ec1ddf2c05633

    • SHA512

      71972eb34f862212faf2c90da28526aa7af502e3b32453bc9b3c4fefb52ceb50823f4da4003003f3527f87d41bf357e8adf2c84d22b3394aeac1d078df620e15

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Nirsoft

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks