Overview

overview

10

Static

static

NEW ORDER..inv.exe

windows7_x64

10

NEW ORDER..inv.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ffa41de9394c54c03f5542aeeea435a676c281cf2f59eb4f4e2a580011c21bca

  • Size

    626KB

  • Sample

    220520-3gywfaghc9

  • MD5

    abc6fe2d10e70f9ba7435cd29c06a2af

  • SHA1

    2d3a2f75a03b56ff20f456ea6a97a3fd0307ac21

  • SHA256

    ffa41de9394c54c03f5542aeeea435a676c281cf2f59eb4f4e2a580011c21bca

  • SHA512

    ac0905ac330d2f937fafbc7bd672ea0f95a3a392ad7a21fcc75100bee2695ca92e55ef7e026fd78c1a33f7115e8c1b5b69f7100c117d0b3e21b08d54be2412c0

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Iqb*)yC2

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Iqb*)yC2

Targets

    • Target

      NEW ORDER..inv.exe

    • Size

      794KB

    • MD5

      09110d6067e758a651e6bad7f867678a

    • SHA1

      99824123e1b8efabdfa85f8c22857fd0727059cb

    • SHA256

      221f5da25d402be75cc7e28bb3edc241f293284d28fd4f37d0bf88213de4456f

    • SHA512

      0e1a9bfdef21b3874fe53965dc3efc660d02001e0cd5913ef8ceff264efab3a2660a5f76bce20c30d86d8d5ae3117e2d36f087177aebed601877519c88234c88

    Score
    10/10
    agentteslacollectionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks