Overview

overview

10

Static

static

PO-akt_Tan-Alco.exe

windows7_x64

10

PO-akt_Tan-Alco.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ea0edafe442306e8dd2f5bcb4aedda9f661d78a433ce047e7e73664cc5aff5d3

  • Size

    369KB

  • Sample

    220520-2p3c6aagfm

  • MD5

    67ad98ca429391448646b80717e47485

  • SHA1

    80a830d5e7b3f2c3a3223f5a69d093718f71a408

  • SHA256

    ea0edafe442306e8dd2f5bcb4aedda9f661d78a433ce047e7e73664cc5aff5d3

  • SHA512

    cdb793a3692c95b79e47584377097c8250eaa2d7df1e28263b66c96ef8b670a6f4c0c7f31169e2cc8f4c2da0d7edbda5203bb30c642f609219e9a52514c2318a

Score
10/10
agentteslaagilenetcollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    COKOeve8899

Targets

    • Target

      PO-akt_Tan-Alco.exe

    • Size

      668KB

    • MD5

      bc2821096f2b2174c977e259af246c8a

    • SHA1

      82dd7ed392e2bdb2d4301732096cbe3a03aeb28b

    • SHA256

      6115c150172e6c50f31feb952cc4bfa452682eb0993388eab3d22d4162f2c09a

    • SHA512

      7197562caff912e0c673dffef912ed22770d7d886ab4a08dda83d981aebd0bdd59e694d964bb444e11e92bce0076fca3590dd108a9cb6d9e133503b9ba12d579

    Score
    10/10
    agentteslaagilenetcollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks