Overview

overview

10

Static

static

9

PO_Invoices_pdf.exe

windows7_x64

9

PO_Invoices_pdf.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2ea073ddc357d19912eeb45d967fd80c742a676cf9f00ad8d7ade93be5e4b101

  • Size

    1.2MB

  • Sample

    220208-dh98escdh7

  • MD5

    472d076a50474e002f4bd798eac94876

  • SHA1

    4d6f29a4f6a496394156ed800b4dfd6cd952d4f0

  • SHA256

    2ea073ddc357d19912eeb45d967fd80c742a676cf9f00ad8d7ade93be5e4b101

  • SHA512

    faaa86c4c78d4cd741d41842a09b457489346c32ab8ac5226641d60fc64d10a3d5abe64bff1bc2bd0ebd5b74f12e196f5dc959478fe57fb63d2722ce3591f3cb

Score
10/10
agentteslamatiexcollectionkeyloggerspywarestealertrojan

Malware Config

Targets

    • Target

      PO_Invoices_pdf.exe

    • Size

      1.6MB

    • MD5

      59d7d8d5dd3e0055e7c0dcc75897f569

    • SHA1

      b249b28d088d54e971e2d9d8b2688440f8e6d513

    • SHA256

      ef715cd322f0a805a68840b215c062f2e254977170a11c6800d836eac781fabb

    • SHA512

      79ebc2a128d018eb7e71b254fdd2fa72deae18081f1732619046e1db9d1aee92f7529521c005a5f861275afcbda3a39fd304cd5e1a49df848675460c5cf8f30d

    Score
    10/10
    agentteslamatiexcollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Matiex

      Matiex is a keylogger and infostealer first seen in July 2020.

      stealerkeyloggermatiex

    • Matiex Main Payload

    • AgentTesla Payload

    • Beds Protector Packer

      Detects Beds Protector packer used to load .NET malware.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks