Overview

overview

10

Static

static

Order428621.doc

windows7_x64

10

Order428621.doc

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Order428621.doc

  • Size

    3KB

  • Sample

    210726-hz7qvj2k62

  • MD5

    484be17f86d5f3fe19117cde512b7835

  • SHA1

    b98db5bf4e847095c044a23d66434710bb9d7b58

  • SHA256

    2e2295c29610c858b6ef4d775420fc9af1b1e8ef82da746fdc9ba23a14ecd494

  • SHA512

    549dfba2fb60dd53dbf2e8e130d690c8d7b5c8b3090da6514c51b9559ef2fe08d5dde1f14255969b6d603311be76a19d700beb2f17891f95a10c1019cc863f65

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.privateemail.com
  • Port:
    587
  • Username:
    accounts@trialseqco-uk.icu
  • Password:
    NewMexcico@123

Targets

    • Target

      Order428621.doc

    • Size

      3KB

    • MD5

      484be17f86d5f3fe19117cde512b7835

    • SHA1

      b98db5bf4e847095c044a23d66434710bb9d7b58

    • SHA256

      2e2295c29610c858b6ef4d775420fc9af1b1e8ef82da746fdc9ba23a14ecd494

    • SHA512

      549dfba2fb60dd53dbf2e8e130d690c8d7b5c8b3090da6514c51b9559ef2fe08d5dde1f14255969b6d603311be76a19d700beb2f17891f95a10c1019cc863f65

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Exploitation for Client Execution

1
T1203

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Tasks