Overview

overview

10

Static

static

4PGVV5ztI9OHQsS.exe

windows7_x64

10

4PGVV5ztI9OHQsS.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7176c65ba1cf65654b1e54892b11fac71babd69da3285e08411fc73daab92dd0

  • Size

    562KB

  • Sample

    220520-2fdy7sfcb6

  • MD5

    a3fb21352d52d5a5b847587cb21bf743

  • SHA1

    cc6960ce60cdeecaa6b8f8dfa772da0c21f03402

  • SHA256

    7176c65ba1cf65654b1e54892b11fac71babd69da3285e08411fc73daab92dd0

  • SHA512

    95c380543046bea445e2f1f3a4107613b1c1844d4d84fbde94d77911b117487e2a9352710f04bb009849a3c9a02512bae42fbd0764fc96884e80df5afde80bd1

Score
10/10
agentteslacollectionevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    roham.dnswebhost.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    $KENECHI1991

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    roham.dnswebhost.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    $KENECHI1991

Targets

    • Target

      4PGVV5ztI9OHQsS.exe

    • Size

      593KB

    • MD5

      4d744c49b2e414e7fb512b43f22a3aa1

    • SHA1

      c031060a01ce56c430973b6d9be777c765bce0b9

    • SHA256

      4babdf3de87110bb4af05c7117cd6215dc8040345ff840282766a753cd08a5ec

    • SHA512

      36d3991426b90b0fcd8ba08804250c0b7643220101d934af2ecd19ec1ac6300fb2ccd5faf21c6d4a42b89b6535254954803745620ae1eafcd7f70a562fac8e14

    Score
    10/10
    agentteslacollectionevasionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks