Overview

overview

10

Static

static

YPeBi8FRoTIc8md.exe

windows7_x64

9

YPeBi8FRoTIc8md.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d3251e8e030bc09c1cbc4ede2a32e7502dbb5779aab30f0719c73f8ba26c06e6

  • Size

    697KB

  • Sample

    220520-18jjqaaabl

  • MD5

    fec57d0e40aa755bc541b980e6367114

  • SHA1

    d65fcf925df91c9e2d94562b41d58621d836b9c7

  • SHA256

    d3251e8e030bc09c1cbc4ede2a32e7502dbb5779aab30f0719c73f8ba26c06e6

  • SHA512

    d4b9c5d5a91ddf18aa31a49ab3e37ce07b6b155b797e42b90dbb88b078a9dff8cdfb652eb11407982103e1b96be473300a37b07bafc21f91c3a8283284197f08

Score
10/10
agentteslacollectionevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.rajalakshmi.co.in
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    016_PROjects*

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.rajalakshmi.co.in
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    016_PROjects*

Targets

    • Target

      YPeBi8FRoTIc8md.exe

    • Size

      729KB

    • MD5

      a3c32145cd008844ed15f214b02e35e4

    • SHA1

      e082d807d559e2440438a533974eb568191001e6

    • SHA256

      604a2f99191e372f62b11a4a1009e8adc41f43a8bbf3f26735549889914f0fc7

    • SHA512

      a094cd2bd1112ba2c858f495c297b03180ce16f7166d264e4793fc52a4786f01f358ed8938c4c0d00b555ebf5527d469e4dd7519db2c42d55096ff7fbefc0c4b

    Score
    10/10
    evasionagentteslacollectionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks