Overview

overview

10

Static

static

PO_DEA657-...12.exe

windows10_x64

10

Resubmissions

21-10-2021 10:46

211021-mtzeqsbadj 10

30-08-2021 17:53

210830-nq8dghhjyn 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PO_DEA657-ARFT-HD51012.exe

  • Size

    685KB

  • Sample

    211021-mtzeqsbadj

  • MD5

    6ccb26ef552a1c49f6003dad2d7afd32

  • SHA1

    5ae4a9a47b735329695592aad58b8b95ca846c88

  • SHA256

    1dc5a420f5f2b1fde70c54cf70d22af94b7fbea0206e9f0c9a20d70ea4660975

  • SHA512

    4cf80e5202a20807fafbe9266f160866c736230790589df261cac9825c7cb29e8d254f830993ada661b875c0127612bea861b82ad94dac8feb91e46f24303d29

Score
10/10
agentteslacollectionevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.karanex.com
  • Port:
    587
  • Username:
    kindok@karanex.com
  • Password:
    Oi&-tmhj@d5v

Targets

    • Target

      PO_DEA657-ARFT-HD51012.exe

    • Size

      685KB

    • MD5

      6ccb26ef552a1c49f6003dad2d7afd32

    • SHA1

      5ae4a9a47b735329695592aad58b8b95ca846c88

    • SHA256

      1dc5a420f5f2b1fde70c54cf70d22af94b7fbea0206e9f0c9a20d70ea4660975

    • SHA512

      4cf80e5202a20807fafbe9266f160866c736230790589df261cac9825c7cb29e8d254f830993ada661b875c0127612bea861b82ad94dac8feb91e46f24303d29

    Score
    10/10
    agentteslacollectionevasionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Registers COM server for autorun

      persistence

    • AgentTesla Payload

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks