Overview

overview

10

Static

static

10

71037728dd...bc.exe

windows7_x64

10

71037728dd...bc.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    71037728ddcea1b094b4bc48fa92b2a0895f009f17e0e9354a3dc5fb0077e8bc

  • Size

    761KB

  • Sample

    220208-nnzc8agbaq

  • MD5

    f197a5709bab2c42314d318e545a6bc9

  • SHA1

    595fc6595040809e3e15460d0b4e313896629f7d

  • SHA256

    7eedffcd0658cb23b499134305a7b292d9bbd526ad9df6b7b920a4f8bbd01120

  • SHA512

    6b1b93920717b2caceb3aaf51421c2152a966819b6b04aa3dcfac864fb9318a486e1edaf3fa4829160b17678d0975b4a9621f6b11c9bd56535d0e0c86b9509b9

Score
10/10
agentteslaneshtacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://nanyainc.cf/
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    7qB+iH=KrUUT

Targets

    • Target

      71037728ddcea1b094b4bc48fa92b2a0895f009f17e0e9354a3dc5fb0077e8bc

    • Size

      888KB

    • MD5

      b420cd9c5eefe5c4b1a80958476ceef2

    • SHA1

      ec9bad3fe35f25be002005011bbec029af4db4dd

    • SHA256

      71037728ddcea1b094b4bc48fa92b2a0895f009f17e0e9354a3dc5fb0077e8bc

    • SHA512

      13b43f836e34385003aef7074f355100481ddf46ab556f4094ee0cef0b8ef4233d90e83579b8ef15d63e91648d9e62271f91fafe40e9e69e1885430bb9aadb2a

    Score
    10/10
    agentteslaneshtacollectionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Modifies system executable filetype association

      persistence

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • AgentTesla Payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks