Overview

overview

10

Static

static

cc366f74f3...39.zip

windows7_x64

1

cc366f74f3...39.zip

windows10-2004_x64

1

Purchase Order.exe

windows7_x64

10

Purchase Order.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    cc366f74f3a57b174cfcb3d769ed5042e4e3b3f3daf611574d5ee6f09be8ea39

  • Size

    488KB

  • Sample

    220520-3s5hcsheb2

  • MD5

    1520dce1c9e2ed239b4c9a22cf57eed7

  • SHA1

    1ca4cd8f6eb2929262a1cf528e73309cf7e0ae94

  • SHA256

    cc366f74f3a57b174cfcb3d769ed5042e4e3b3f3daf611574d5ee6f09be8ea39

  • SHA512

    dbe9fbdcb7f71d962ec75559c00a78dd75df23e6a3a1838ef9a5fcda72366143e7e9815ce772fdd38240f3d39ccd4f74a50b7b94591bed57a4a59f3331601faa

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Safirxxx01

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Safirxxx01

Targets

    • Target

      cc366f74f3a57b174cfcb3d769ed5042e4e3b3f3daf611574d5ee6f09be8ea39

    • Size

      488KB

    • MD5

      1520dce1c9e2ed239b4c9a22cf57eed7

    • SHA1

      1ca4cd8f6eb2929262a1cf528e73309cf7e0ae94

    • SHA256

      cc366f74f3a57b174cfcb3d769ed5042e4e3b3f3daf611574d5ee6f09be8ea39

    • SHA512

      dbe9fbdcb7f71d962ec75559c00a78dd75df23e6a3a1838ef9a5fcda72366143e7e9815ce772fdd38240f3d39ccd4f74a50b7b94591bed57a4a59f3331601faa

    Score
    1/10
    behavioral1behavioral2

    • Target

      Purchase Order.exe

    • Size

      598KB

    • MD5

      fe5426be581da9253481c54aaabcd47d

    • SHA1

      952d80126435cb1bf5be98dc15e37d93410b1ef3

    • SHA256

      d5525bf39c73e96c70c1426c09e3431fcc7853b1f9920577aa3cd4596f209762

    • SHA512

      e39fc25d4ad6d8b76d543fb113631983f77a2043aacfabd495da485ce6808b089c1253f7e2c961e1147187ed5b498e525ea758720b49dca756ca8b45b9f6af0c

    Score
    10/10
    agentteslacollectionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks