Overview

overview

10

Static

static

QJIAYB93BC939XO.exe

windows7_x64

10

QJIAYB93BC939XO.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ade494362402a793b745a3a7857ff5c779dfef4e931e8e05078f6b8a97c71284

  • Size

    325KB

  • Sample

    220520-3z38wahgg6

  • MD5

    3385856849ba0ad5f5561b4039a995cc

  • SHA1

    4dac1f5d3c490be0f09e0b8d98512957759d41b0

  • SHA256

    ade494362402a793b745a3a7857ff5c779dfef4e931e8e05078f6b8a97c71284

  • SHA512

    a16e9b0b8d2f24793d7e1d42bd5d6ea84a400ab890f85d5b20d2591dc0e03da5e3b90ee45d53c6696d3bc967b17dc9781367df2abe89ae645a2fcfaafdf7278f

Score
10/10
agentteslaagilenetcollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.amazinghotel.com.vn
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Amz@2020

Targets

    • Target

      QJIAYB93BC939XO.exe

    • Size

      710KB

    • MD5

      391d98e696ef46d06a60903a91cae10e

    • SHA1

      de4a73636eae9f3f9b1c0a3a380d5c8a432e7a3d

    • SHA256

      f6a1e6d11e0366c52fea294e6010a96df682e42df3a9d4fc417ae755366e91e2

    • SHA512

      154eea185216314e7c07c27f972628271a6de5d6a44935cd81d17c81bf8fff9a36eee7ae9eebbb4abb730a8e53b80b1b0e4d03cb349ade64ed360626dc372142

    Score
    10/10
    agentteslaagilenetcollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks