Overview

overview

10

Static

static

[DHL] 7348255142.exe

windows7_x64

10

[DHL] 7348255142.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c97a4c93e550502baa51694a07a87ff0999288bb5aeeef044ade8c82f864ed9f

  • Size

    375KB

  • Sample

    220520-3tk54shed2

  • MD5

    0774641ca30f4032f101c523d01c3489

  • SHA1

    a2d42fcfd5f9f151cc2e9b26a5b09074e2b7f7b8

  • SHA256

    c97a4c93e550502baa51694a07a87ff0999288bb5aeeef044ade8c82f864ed9f

  • SHA512

    4770146599650fd36f8e917e21f7be17090f780a65ff69fafd36fee9c52c8a427903cae92972a350bcb91cc6e3c374af5495589c341bd261f9af596b78262cea

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    atk9202

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    atk9202

Targets

    • Target

      [DHL] 7348255142.exe

    • Size

      542KB

    • MD5

      0043cc269ef53ad28a4b1339cd3b0aad

    • SHA1

      b39c9581ad34c6733d4a75104fad34dd21147bee

    • SHA256

      20486793ae98833178cb24180d58511ac0ec100a3c341b7a956b95a13cdd1e72

    • SHA512

      a3c5e7dc1f37a6fa9e9c2d626b6e901b404200d40a07fa941302ac4f5e59bc9a8306119c069c9e8b6de0835b0dbd0c2c958410f468baa28a5f8421bc6a0ef1c1

    Score
    10/10
    agentteslacollectionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks