Overview

overview

10

Static

static

004_ORDEN ...DF.exe

windows7_x64

10

004_ORDEN ...DF.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    004_ORDEN DE COMPRA 80107.PDF.exe

  • Size

    185KB

  • Sample

    220119-jan8wafhfn

  • MD5

    2b994636254e2a45d7feeec62a6c4294

  • SHA1

    43be6c536cfc0edcd2d1a335abcc0110f7fe2b6c

  • SHA256

    2eb62d09e301701921e3f7a70aacebdaef1ad8cd55c600adc6005a17e7607edc

  • SHA512

    3dcda0effe13ee3acff1408279cd514b85cb193c861d64fa831694ec42c1ea669d9eeb45362bc23e149c739ad6cc54678258d7d766f6b9448afa52cbe2566605

Score
10/10
agentteslaguloadercollectiondownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.gettoner.com.mx/
  • Port:
    21
  • Username:
    droid@gettoner.com.mx
  • Password:
    fedxunited543@

Targets

    • Target

      004_ORDEN DE COMPRA 80107.PDF.exe

    • Size

      185KB

    • MD5

      2b994636254e2a45d7feeec62a6c4294

    • SHA1

      43be6c536cfc0edcd2d1a335abcc0110f7fe2b6c

    • SHA256

      2eb62d09e301701921e3f7a70aacebdaef1ad8cd55c600adc6005a17e7607edc

    • SHA512

      3dcda0effe13ee3acff1408279cd514b85cb193c861d64fa831694ec42c1ea669d9eeb45362bc23e149c739ad6cc54678258d7d766f6b9448afa52cbe2566605

    Score
    10/10
    agentteslaguloadercollectiondownloaderkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • AgentTesla Payload

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks