Overview

overview

10

Static

static

DRAFT_BL.scr

windows7_x64

10

DRAFT_BL.scr

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8f756a0647aa0f1421ac081da6c16883c38c18008c96f50cd3a3545dd71af02c

  • Size

    1.2MB

  • Sample

    220520-2da5jafbc5

  • MD5

    876ddbfc2e4be0d037a4813c0dc1ef2c

  • SHA1

    089bcdd9ad286f48d5b0a20948f6dda0ffc4dd64

  • SHA256

    8f756a0647aa0f1421ac081da6c16883c38c18008c96f50cd3a3545dd71af02c

  • SHA512

    2c387e7205c8a0b09a15ad610ed2b78f5d03f5314ff10f812bef4db3a8b08066b735dd4a1a10bfef99b6c645f11bae29c99762906300dddf2a877f8cc630dab1

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    333link00win

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    333link00win

Targets

    • Target

      DRAFT_BL.SCR

    • Size

      671KB

    • MD5

      04c8a416d116d67e72ab3913081d58c1

    • SHA1

      47e52d3689f4ecd6be15ca46fcb2f2ef6c0885c3

    • SHA256

      62fcdae1698a3257838b23279dfb2706ed7eb727cbe24e89ab2445565d45de04

    • SHA512

      fb82d5cbbd277e74591e023ed3be0882c527d8224f152154801ac1aeaac6a0171510b88f602fde1c64ac9fd21e0b3682da68966fee0b3acc03694c0322d360ff

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks