Overview

overview

10

Static

static

Contract form C2.exe

windows7_x64

10

Contract form C2.exe

windows10-2004_x64

10

Payment Bi...ce.exe

windows7_x64

10

Payment Bi...ce.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9d9d7ca207a922cb738b05ba28e8cc471d81e826d54dd0e35b74e1a826379f69

  • Size

    1.6MB

  • Sample

    220520-2spapsahhk

  • MD5

    5b23036fab0397274bd9c4dfb96c44fc

  • SHA1

    38b2415fa86bbfda429a2e5a461bca520e7ed153

  • SHA256

    9d9d7ca207a922cb738b05ba28e8cc471d81e826d54dd0e35b74e1a826379f69

  • SHA512

    96a17297ba29e3e3244a44923bd92cfa7f3261eb3bddb5a75283b0d4277649a0fb549fddaff25ef286a0fd3c58165b88c1641747071a32d5b28bbdee23840e0f

Score
10/10
agentteslacollectionevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mapi.diplemailsrvr.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Banachi@1974

Targets

    • Target

      Contract form C2.exe

    • Size

      1.1MB

    • MD5

      61cd9cf4bdb92c7b87610c6ca3bbb9f2

    • SHA1

      98eb1b85c2f5a4df9d964089b7ef73e11ab299cb

    • SHA256

      5e5d665f261aacccd45ce0cdeb9c09190918eca48adf692919446bf5a2b8b2ba

    • SHA512

      f197d5cf146577569657b919c259ebcbf5779e4e7946101a720cd7929833b17b472008b175ddd553fc6f302c3d5f268a31ee1fc0669f5dbf127cb10ab345093f

    Score
    10/10
    agentteslacollectionevasionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      Payment Bid Reference.exe

    • Size

      1.1MB

    • MD5

      61cd9cf4bdb92c7b87610c6ca3bbb9f2

    • SHA1

      98eb1b85c2f5a4df9d964089b7ef73e11ab299cb

    • SHA256

      5e5d665f261aacccd45ce0cdeb9c09190918eca48adf692919446bf5a2b8b2ba

    • SHA512

      f197d5cf146577569657b919c259ebcbf5779e4e7946101a720cd7929833b17b472008b175ddd553fc6f302c3d5f268a31ee1fc0669f5dbf127cb10ab345093f

    Score
    10/10
    agentteslacollectionevasionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

4
T1112

Credential Access

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Email Collection

2
T1114

Exfiltration

Command and Control

Impact

Tasks