Overview

overview

10

Static

static

RFQ- PT MU...oc.exe

windows7_x64

10

RFQ- PT MU...oc.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c5abfa80cf40d138887ae52cd441797c0e549af02c352f39451693cf597d184e

  • Size

    2.0MB

  • Sample

    220520-3t87yahef6

  • MD5

    8dcbc0a2e5d101cb601b5f33869131f2

  • SHA1

    28ee77564c4d5af3471dd3c430e719bf06ee8312

  • SHA256

    c5abfa80cf40d138887ae52cd441797c0e549af02c352f39451693cf597d184e

  • SHA512

    f4beff92bbbd5c76e91f75d2f2634f401fe4ecd7f16a0d7fd7fc01a064e659614a5fe05fef2ac8174be847c609498db21dcca79c3d01b05db481945319f25460

Score
10/10
agentteslacollectionevasionkeyloggerpersistencerezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.parshavayealborz.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    P@rshava123456

Targets

    • Target

      RFQ- PT MULYA MANDIRI NEW ORDER PO 02.27.20.doc.exe

    • Size

      2.0MB

    • MD5

      2a6cec53f04f431e88734606cc170575

    • SHA1

      9c34a820806f306345f86db72bc0f3ae8ae7dfbf

    • SHA256

      1296fea5be2ddeca7afbb565183c83b9a5660eb1fe98942bb2f048be7b237f6c

    • SHA512

      83de8bc6688cd87d3596438f52f7cb5630d47bfa1546b38de6b4d8886a13290d7575f610d460fbcd287a4e4823db64892b64399fc59afa258b5448dbf807f7d1

    Score
    10/10
    agentteslacollectionevasionkeyloggerpersistencerezer0spywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Disables Task Manager via registry modification

      evasion

    • Drops file in Drivers directory

    • Drops startup file

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks