Overview

overview

10

Static

static

Shipping D...ft.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    220317-pcwnmadeb6_pw_infected.zip

  • Size

    377KB

  • Sample

    220317-pgntksdef4

  • MD5

    bc9eb54c14073f64e7f571b6a049bd9e

  • SHA1

    d6a34b17bd157a4eb55a0a954a6e9bfd9193a14e

  • SHA256

    cb03d01cbf3783e1d19e26a1f2ff55ce711b53df64b4ddad68367a2ea1bc6a4f

  • SHA512

    c056e31513bb253541e4141a854220119d1cbef94f27dcc21e4f9fb89d13f97dc49f0814b1cc6bd0385f6aa6d040f75d88ad8b68114a246f14ae9be8b23ed089

Score
10/10
agenttesladiamondfoxbotnetcollectionevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    msonsgroup.in
  • Port:
    587
  • Username:
    flex@msonsgroup.in
  • Password:
    flex2424@
  • Email To:
    mbflex@msonsgroup.in

Targets

    • Target

      Shipping Document PL&BL Draft.exe

    • Size

      1.9MB

    • MD5

      94fbe5a58977c921436351766164d747

    • SHA1

      ca7b58e4d9b4caeafa1f772e56a93363a07f6a65

    • SHA256

      8cbf496620e93736005fc69b9eb0f162e4e716786ab5e29e94ead94bf496cd02

    • SHA512

      9f11edd872bb117c1ca00bed355876ff9d87618604675aeb4988cb957d38a2bf820050cf2f4ecaf4301bcd73556d7b06a135d848d01d8bc6713a5d001baaa3a8

    Score
    10/10
    agenttesladiamondfoxbotnetcollectionevasionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • DiamondFox

      DiamondFox is a multipurpose botnet with many capabilities.

      botnetstealerdiamondfox

    • Registers COM server for autorun

      persistence

    • AgentTesla Payload

    • Executes dropped EXE

    • Sets file execution options in registry

      persistence

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Creates a Windows Service

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

2
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

System Information Discovery

5
T1082

Query Registry

4
T1012

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks