Overview

overview

10

Static

static

Payment Copy.exe

windows7_x64

10

Payment Copy.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Payment Copy.ace

  • Size

    427KB

  • Sample

    211021-zsjn4sbfdm

  • MD5

    c953fcff4f8d8367bad8cb16bc86b71e

  • SHA1

    3ef3e2dff28483536d952c2dcb8181094b92e885

  • SHA256

    ddc8c1c38c617c6a99201d722284707dfae2a1f76a3cd8858c64b95483729f28

  • SHA512

    fcb480f469bf0abbbc87e1661f3588264a9829c04d388995fd37944568f635c637807eecd44cea3d2a7e4a3cbda5457b253add1f33ccc05da0ddef0acd5f4a86

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.croatiahunt.com
  • Port:
    587
  • Username:
    info@croatiahunt.com
  • Password:
    VilaVrgade852

Targets

    • Target

      Payment Copy.exe

    • Size

      504KB

    • MD5

      76b7a306c697aab9e1a5a152094c9b00

    • SHA1

      caf45c939526b48b6d822fc6bec1a4bf8a62a677

    • SHA256

      7e0eddc6744c2acde5fcc3a9dc3f6f1e7e1c1b85a1033ae93a0fd53489c71c4f

    • SHA512

      f8eb408f40fa5e10e57448a1913d0bd027c4404b83eff75f06057eae6fcb2e8bf0576447218e2ec504936c249be6f97030a5fb3f09238a5998bf0775b7d90955

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks