Overview

overview

10

Static

static

ALWAKRA PR...26.exe

windows7_x64

10

ALWAKRA PR...26.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3c3b45e6d6265197ba3924d89a6a824e31918e48df05a21c130ac9921d3f27a9

  • Size

    472KB

  • Sample

    220520-2zgjfagcd6

  • MD5

    1864a8d42ebe62b33c86d53e38eb5e68

  • SHA1

    106e27db39b501be1a1fdbe102aae113e94adb47

  • SHA256

    3c3b45e6d6265197ba3924d89a6a824e31918e48df05a21c130ac9921d3f27a9

  • SHA512

    6a83d5b795f135f50f735f20d1c0e3bc719c768337843e441a6d56943a4d5f16ab07ec6cbd39af1f8725cde51d7f262a4627e710731ea64af5a78bf4ecdd10e2

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.mytravelexplorer.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    2JWcb}iP#4]+

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.mytravelexplorer.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    2JWcb}iP#4]+

Targets

    • Target

      ALWAKRA PROJECT_REF00023#25062018#_DA26.exe

    • Size

      563KB

    • MD5

      b42a75b9f278b66aeb068ef55e6cdd12

    • SHA1

      084821e1939d389f6a09bb1fb7211b770b6ebf5e

    • SHA256

      a0b5afcab56631d737decbb0378a3aa681f0d053fba8b829a039b452c0be79ed

    • SHA512

      00cbfe260a158bfbba14a0aa9fb47cc316899416cf9dcc9c6082e773390a470d639f83946ba1ff9bf39d9d9dfe0478bcf6a27c8fb2ca99ae31370cd0e47e708c

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks