Overview

overview

10

Static

static

10

RFQ__PR_.exe

windows7_x64

10

RFQ__PR_.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    60d64391a2d2632f20b0861d2f74f6568fb70bcceedfaf998db1d88ad4a4cc81

  • Size

    1.5MB

  • Sample

    220121-3svm6adhdn

  • MD5

    5a6063f82f30891759b87451ece26282

  • SHA1

    f84bdf14cba2537e0ce95f3fcc5ba4f69033d94a

  • SHA256

    60d64391a2d2632f20b0861d2f74f6568fb70bcceedfaf998db1d88ad4a4cc81

  • SHA512

    5e99628aa2ef807f7ae594118242ab9f0ec78cc69efb7f79a5dd709eb8dbfeb077414266c3f042e466c0be6b065c479ac2ea9007bf4516c02b852ba5efa84245

Score
10/10
agentteslaagilenetcollectionkeyloggerspywarestealertrojan

Malware Config

Targets

    • Target

      RFQ__PR_.EXE

    • Size

      955KB

    • MD5

      6d823d1b2a16711319fa18cd7572dd5f

    • SHA1

      939bd30ea50d1aed08709d404fb2fc3ec560bdf4

    • SHA256

      af77d39da76931a81bfd25f69b8bada064540e564af4848d5f87abb3c1eae795

    • SHA512

      b725130440f061665edebe68849234b6c64d68fcc9509cdd90cedb72b67ea135f7c64e4dc2d71a6fce64f8593e5138f06628f2a2c56c366328a449c94e0165c5

    Score
    10/10
    agentteslaagilenetcollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks