Overview

overview

10

Static

static

enquiry.exe

windows7_x64

10

enquiry.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    aebaa928a7a6afebed8a60d6d37f06c8bcb9af2b2eea0f94ba041fec9beec10c

  • Size

    384KB

  • Sample

    220520-2wt1csbbak

  • MD5

    028f4b3cc11e447d855e3b237a027dd5

  • SHA1

    b3be1c3a7ff1e1288341afbd136003d80daa6da6

  • SHA256

    aebaa928a7a6afebed8a60d6d37f06c8bcb9af2b2eea0f94ba041fec9beec10c

  • SHA512

    05e6899788fd6d77ba991b6be729f39c151c998c5ccafe1bf0fd8738f502efc426fb534aeab4cee56db50038a8db7dd2f62c935e5a16e2b743b92ac151136dc8

Score
10/10
agentteslacollectionevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.lotusgrandhotel.ae
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Fbm@Lotusgrand

Targets

    • Target

      enquiry.exe

    • Size

      436KB

    • MD5

      8c55b8fb78847c74c2dbbebe321314d0

    • SHA1

      60325625c9418917ba79a12060b3855eb739c7ca

    • SHA256

      90c6b56f55742297280258483cd14c0d92575ba6692f9662a0282bb60eae089a

    • SHA512

      e356157109c89fa9d60e9f11a2d36f4f60811e9d54d4710de561187f6882b8d6c2a714ab0f3d139ed79154702f38ffc3352dbea8e99f13ef6f225c5a201d71a7

    Score
    10/10
    agentteslacollectionevasionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

2
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks