Overview

overview

10

Static

static

PAYMENT FO...E1.exe

windows7_x64

10

PAYMENT FO...E1.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PAYMENT FOR OVERDUE INVOICE1.zip

  • Size

    420KB

  • Sample

    211020-earlsahedj

  • MD5

    8bffb60b4d18b7cbbd7bc4dead4e9d02

  • SHA1

    381aff26f6ed5712e8e2e330113fbc6415675117

  • SHA256

    a4cfd91dcbdb28c39be3479755474b7ab022700ab7399e380df87db11ff808bf

  • SHA512

    6c74a9fb07ed317fac077d1e6e17a52fdb7f4819391e2733a81f210815723e8dd61d67ba1fe242dafa8cb2735498e874779798a14268eb1bae355b7d5edbea81

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    mmm777

Targets

    • Target

      PAYMENT FOR OVERDUE INVOICE1.exe

    • Size

      473KB

    • MD5

      17c013ef54d77f3a21dba1015a5d0a6d

    • SHA1

      2e03a063dacf2ab5da74fc804420be20ec539235

    • SHA256

      2cdb5e01ac073690d5c4a3ed3ba53eca94dbb701c7811f088a89b8ca9a6e2670

    • SHA512

      ca294feb4050751537a4f0822b40ffd4d03206aa7bdc5bbd43a958d962dcd93695fbb5f9a9226d9cbf4649952deed3eb36cb90596fc507160827c7ec95fe65af

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks