Overview

overview

10

Static

static

BANK COPY.exe

windows7_x64

10

BANK COPY.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c04dc5dd7911fd254fc4fd57f9a85e1b56581e0274f331638145d9d72d2dc146

  • Size

    461KB

  • Sample

    220520-3wbz8ahfb4

  • MD5

    6bc13b5485bec7a02d643d9b79b606eb

  • SHA1

    12c5acaf265af29b3114ddf595c4b4e3cf935b89

  • SHA256

    c04dc5dd7911fd254fc4fd57f9a85e1b56581e0274f331638145d9d72d2dc146

  • SHA512

    5ec518bea41f3de755a0b3f807fb8a556c92694c16aac234ea82c83b5e0da26e723e713285346ef4df95fde06819dcf16c44fa068d5462a9150c0870073ef607

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.pushpageseo.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    test

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.pushpageseo.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    test

Targets

    • Target

      BANK COPY.exe

    • Size

      563KB

    • MD5

      937717f0eb3d33bab9f444e54e6040b9

    • SHA1

      d83195f4d3f42e84243bbbdc32e94c23982a2917

    • SHA256

      3dd701e877f0f802984c90bcfdcde54c35780c9afb459b2d395e6d38b2d4a503

    • SHA512

      6fd6809ad139aea7b94237b3530f02f8d3f98c227927be7a571c2058fc809c77769d206b633b3ec396b7238c43e884a06392f2a35ebe69bb6e04c87de494166b

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks