Overview

overview

10

Static

static

HLG 21665-...DF.exe

windows7_x64

10

HLG 21665-...DF.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    HLG 21665-PSI-October -2021.zip

  • Size

    455KB

  • Sample

    211019-byb98agaen

  • MD5

    ffc74c2bae804987e6f31db45406c99b

  • SHA1

    3aad70320ae662227d62269abf1d55f4d38e2f8b

  • SHA256

    d2a3560a21206f97042705f8716f3b4e05088eaa202c601016d772b6afa73b79

  • SHA512

    50fd648288b105662ced88b0e0cd5a873931b8a816c36d0401d7fd13497265c18ff6f4cbd6a8530c2f2b5aa9c46f29dda2b1cf17b696f7483a0ef7da56d0c0b5

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    transportescascao.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    CasMan123*

Targets

    • Target

      HLG 21665-PSI-October -2021,PDF.exe

    • Size

      546KB

    • MD5

      b61ee97598d4a4800372f1377b428668

    • SHA1

      4829f88c43ad29c5b2fc4d8ed7473ec1a459d5fd

    • SHA256

      a7c4c408c51d3a96529c48115fa084c2c49bc9dbf0c9a4067c7cb35753852e43

    • SHA512

      92d19d527d7f7a7541e8c3093582a870082823ce697209a9a5c574c28c93f6cf95f30d4100958ad477176111bbb81566e440e0a19158e5ef7965de9013c1e126

    Score
    10/10
    agentteslacollectionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks