Overview

overview

10

Static

static

PM114079-990528.exe

windows7_x64

10

PM114079-990528.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PM114079-990528.zip

  • Size

    542KB

  • Sample

    210728-dxbnw3mh5x

  • MD5

    23b7536e5535d7149a19550ef29f162d

  • SHA1

    d14e4c39eb5d8e9ce37f172541b9e1b511b6ec71

  • SHA256

    f9dd6bbbd740f9fd93278383f410ad849653ec7b594c0005d70e6b1827f4b0ed

  • SHA512

    a71b5b74eaaf6c6051dfa3db55c427d054c54938946000e5d0df0a9e81647d5ffadb7e9568b6af04b5ed8fb7a620816371265e5d3f67d49a30a2a3e456e946a2

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    webmail.worldlinkcolombo.net
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    FBF8TNIO60WI6615677789

Targets

    • Target

      PM114079-990528.exe

    • Size

      761KB

    • MD5

      e78b9a4ecd3c23cc7191b2510ec7f43d

    • SHA1

      e2e63c6feafd3d4dcd33667a6a5311df3ee89b43

    • SHA256

      5e3530721b76f0a3c0ed75b87df2d34b942601845a3bb9c04fdc82efe956463d

    • SHA512

      9e3625605509e671c950f8294b6c494e2f11c511eadc41a0befe21545ac6d4605d2e88760eb293c7d9d7630a853b34596ba0d52f1b206fa0a39d1d6074aee802

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • CustAttr .NET packer

      Detects CustAttr .NET packer in memory.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Tasks