Overview

overview

10

Static

static

swift copy.pdf.exe

windows7_x64

10

swift copy.pdf.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    swift copy.pdf.z

  • Size

    504KB

  • Sample

    210728-xkgn4ka62e

  • MD5

    0ec7f5c7ec4621cb1f629baae946377f

  • SHA1

    71a2ba24678adb95b368a4c11c86bf00d8da0122

  • SHA256

    6a61427fa26132640faa4616ef57d8d13785f8f73e2697720e036da63c7acdf3

  • SHA512

    1a6cfa1e0e1e71e1d14626c0e381ffc771e8cb107c1d1e3db5953b0f7698008d653a5936733d6e793d3af8072d72fe3a44bed97b434ea9cb3ab26263f18b8fab

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.kenmascs.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Kenya254!

Targets

    • Target

      swift copy.pdf.exe

    • Size

      742KB

    • MD5

      d18634c6f1eda281e774e901f6ac85fe

    • SHA1

      7f2b6fd27c28fbcc724bd8cb6e19fa70c5fb27ca

    • SHA256

      e4161228e6d0834d34f12745d57902d9f98a0a6302811b094189a4f9a708a365

    • SHA512

      8d9c060da8a4f9abf6e4565ebdb7b7f6e264933ea05df26ad48c53b659c6f1c0e93bd0dd4fd7a4cb0994d3f9b1ba7731412767310722d3dd334ebdb4f6a98022

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • CustAttr .NET packer

      Detects CustAttr .NET packer in memory.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Tasks