Overview

overview

10

Static

static

DOC.exe

windows7_x64

10

DOC.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3dd70997634cf1fa38ef4b476bf7ca5b88930b5bc69f37ad12df8013b110878a

  • Size

    511KB

  • Sample

    220520-3dadnsbfcl

  • MD5

    0104adee808048e24eb685ac0b2e1d3d

  • SHA1

    ac171f598a8c2da4d7c3fa12abc8bbc07c87ca0a

  • SHA256

    3dd70997634cf1fa38ef4b476bf7ca5b88930b5bc69f37ad12df8013b110878a

  • SHA512

    b671927c7c6d5fa7b9671706357598bdeedbc09dd6ce69e4c899933e5ef956fdf280261e5ea1695db9686c572dda0b82a093bbd1d964dda03f786a370d50c54c

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.palcoman.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    GgwWVBJ5

Targets

    • Target

      DOC.exe

    • Size

      687KB

    • MD5

      95cbcdfe7d89c89c759303a0e845d8b1

    • SHA1

      3950ee91663e1142e889208c474ebc7d36995d5c

    • SHA256

      f82fcb01f1334b2885bc090c3bc8bc587f64919b9739e95ffe12c9e5d5bc11cd

    • SHA512

      c00438306fe5bfae406db98ea71779745ebbe4643c2993fb12a47a13dca2de5c71ec40a81cbf8d9e7ad3901b6921ef9e46d7bd01d597c89df6a494ed20493e31

    Score
    10/10
    agentteslakeyloggerpersistencespywarestealertrojancollection

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks