Overview

overview

10

Static

static

RMK TRADIN...F .exe

windows7_x64

10

RMK TRADIN...F .exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d29d57047a3f99e5f7eb81a19c29d11fa5f768dbcb30601a6c05b7e8d259c51e

  • Size

    572KB

  • Sample

    220520-3rsgeahdd9

  • MD5

    f84a6bf112f56b22e02626dec381b291

  • SHA1

    0f76e45236c9af65df5e2211e0fec4592401dcfd

  • SHA256

    d29d57047a3f99e5f7eb81a19c29d11fa5f768dbcb30601a6c05b7e8d259c51e

  • SHA512

    1d867ce50ce7a01ca59fe5b4b6a9a278c45caeb212848a4531af9709dd2aa3d2bce64d97a8d20be4a3eca8482d45d3b9ffd0be7f0299d0b67fe0fcb4cf49175c

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://trend.fischer-landmaschinen.me/
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    troopss@@

  • Protocol:     ftp
  • Host:
    ftp://trend.fischer-landmaschinen.me/
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    troopss@@

Targets

    • Target

      RMK TRADING LTD CATALOGUE 012_PDF .exe

    • Size

      511KB

    • MD5

      081b3b925c356262788a067306c6c995

    • SHA1

      02b588121e3a2887bf10267232cbfc7e838cd28a

    • SHA256

      eb01b3b824c13f4703f9cb5e981496560de476c1a901ea3b04abec64996a6074

    • SHA512

      5138ab751aaab16d20cb5da8074852b0e7e7e0339ac530fb8023e83e383bc8a5d9593eea7af8277e5f66ecbd6ebef22916b25f63703f88bb6001283fd3559fcc

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks