Overview

overview

10

Static

static

SKM_C33501...00.exe

windows7_x64

10

SKM_C33501...00.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0f9b8d8ae8d005c9ae9258981a54caf8652d0287cf4061993caafc90414849eb

  • Size

    441KB

  • Sample

    220520-2nvxpafff7

  • MD5

    7b347b8ba2c4090d6538bf10f24f1310

  • SHA1

    16f0cf77f67721d24673bab65fc7c3064a284e16

  • SHA256

    0f9b8d8ae8d005c9ae9258981a54caf8652d0287cf4061993caafc90414849eb

  • SHA512

    72751a66a4e27c915df832071d7c9f27a9b998e289d004afa60d01b0fd23a62e7ff25d125b54642f400e23c5eb96b95c480101a7fa29f7cf8885affdb08351e3

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.ru
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    bigboy5570@@@@

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.ru
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    bigboy5570@@@@

Targets

    • Target

      SKM_C3350191107102300.exe

    • Size

      551KB

    • MD5

      158dd75ecfc180976e54fad0b80d0d56

    • SHA1

      0f57c8303f27a51be62a468ea625830b293f93b9

    • SHA256

      0687d57f87a19e9860bc0f991a91ea9af31f8625dd15d191f4fac7e73520b49b

    • SHA512

      63930b1abb98a7efefca9661f7a1fa96fbfb8f00b876973ad2d4408073a3d0f58ba6773c64542ec24be809c252454af1b03aa4decdde09b2bcec47b2374e2d0d

    Score
    10/10
    agentteslacollectionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks