Overview

overview

10

Static

static

485356515d...in.exe

windows7_x64

10

485356515d...in.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    cmap_485356515d560799c8f9.zip

  • Size

    757KB

  • Sample

    210421-twp9yclvnj

  • MD5

    10e3f747e03ba5442af1fba043d1d8ea

  • SHA1

    72e33ef5c021b57fbeabead53d8c84db8395e21c

  • SHA256

    c7319977ff8a2bd8f45d60081360ec87bcef2cfc191bda718ecf9b787e44593a

  • SHA512

    a232a0d78627b295d7d8f23c3238537fb1a7689b21c835822c5a098e1b17917a96f4e1ec0a411edf04f520787f56c2c066232340e11193f3e967e1af7a277423

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.slimecheck.com
  • Port:
    587
  • Username:
    info@slimecheck.com
  • Password:
    abc00000

Targets

    • Target

      485356515d560799c8f9e159e436cbbb85110fcb3b5dc2180520186d0a406e9d.bin

    • Size

      780KB

    • MD5

      eec8e09341c18d8797208118bd387900

    • SHA1

      ba1a47be8b33a404415a71c0ccb11ddeee4c06a0

    • SHA256

      485356515d560799c8f9e159e436cbbb85110fcb3b5dc2180520186d0a406e9d

    • SHA512

      d786699d15b6178c1e168126b30f4fb16d76ea65e3370bb619bb9e1cc9f13d391dda4b818f837a2171c69ac82a3186485e12c4ec7758fe075ac36dd172c65934

    Score
    10/10
    agentteslakeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Tasks