Overview

overview

10

Static

static

RESITECH_0814PDF.exe

windows7_x64

10

RESITECH_0814PDF.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RESITECH_0814PDF.iso

  • Size

    838KB

  • Sample

    211116-kvfynsdab8

  • MD5

    756cb5dc58165475627876cf039d6280

  • SHA1

    89505c09c14c352866f96b0699ad6af8754b4e3c

  • SHA256

    8245ea5bec7122e3062a367366b4019ccddd5dc170957cb13f9e34c916fdd97b

  • SHA512

    1ca22568fcdfe44e530be534ab3d6e3935a34d760edff314d81779d7212113287528a6e4d90f66104d7573fb41fac9b0d643ce74f7d0d42d7fa3c603391ca91e

Score
10/10
agentteslaagilenetcollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.hdconstruct.ro/
  • Port:
    21
  • Username:
    FTPAdmin@hdconstruct.ro
  • Password:
    5R)XZ2Xqis2HZ7p[d6+Oe!0i^C85CQ]uD68jNN@ossy~wH-(ie^9O2(001174?skX%ouFto

Targets

    • Target

      RESITECH_0814PDF.exe

    • Size

      777KB

    • MD5

      0f30b7a70e8e6ec8762bdad8441d0a61

    • SHA1

      dbf9cae17ee058d9e5181c51b9047e350bc1fcf2

    • SHA256

      086ea860e6e2344c086ab361f6374d8c92165767416a72962823956e195ab770

    • SHA512

      031bd16b0bba3641aac630b4874148833cf6fed4930ee9a7bcef80c47319691065285e7e706c666bb83be4b00ff8842dbd58372404f116985ab51136d95fb520

    Score
    10/10
    agentteslaagilenetcollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks