Overview

overview

10

Static

static

VQiCue7HEz6VM3g.exe

windows7_x64

10

VQiCue7HEz6VM3g.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4ac3bf1211efa081b87d49d3b40d8851b0fc66a29f6ad3beb3cb1649d02b8478

  • Size

    560KB

  • Sample

    220520-2h7pasaebn

  • MD5

    698029bb07e262b93f2fe800aa188675

  • SHA1

    e928fc58ee0cfd1ca0c250ac9039059b1cad2973

  • SHA256

    4ac3bf1211efa081b87d49d3b40d8851b0fc66a29f6ad3beb3cb1649d02b8478

  • SHA512

    d28ac44e6c55d81904fcf6262ffcb1d67a667e4ca6837d59c7b9cf7688a06e0876a86e717e582047b51a1995ca889ba8efbfb820cbd4490a393e809b6b9c89a2

Score
10/10
agentteslacollectionevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    kissme4eva

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    kissme4eva

Targets

    • Target

      VQiCue7HEz6VM3g.exe

    • Size

      593KB

    • MD5

      a99ce8dca56f302d6df6c8abcfc707bc

    • SHA1

      57f84fc433737662a1edaf8675f3f28038347126

    • SHA256

      096e367392216bef16b7bb081ec13edbf71a774b5f8de11fe22a15fed254f8c9

    • SHA512

      e5796de19bd9c58c3c49794b1240f16af777308a47333ce8ec41e44ce28f7517c660a70e98f63c21ad7d5c2fb6a10eafb71c1172bea493cbcfe780fa432a8867

    Score
    10/10
    agentteslacollectionevasionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks