Overview

overview

10

Static

static

INV 19003568.exe

windows7_x64

10

INV 19003568.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a5fc13df1012b247693e929efee6d5fd62154f0146ce945ad212921705a12d88

  • Size

    489KB

  • Sample

    220521-aaf3tscgbm

  • MD5

    c00ca1fea6da7b09977799bc58d630f0

  • SHA1

    e6fa092aa783ddadbcd9a1cc758708f5b93bae46

  • SHA256

    a5fc13df1012b247693e929efee6d5fd62154f0146ce945ad212921705a12d88

  • SHA512

    30ed7ccc55e87a4604acda6a8b0448b31e4a4ce102b49d93e2a6930a8a1d88cfea8c06f39fa6543f19af42ddf30ceff13245abca99f1e5417351ced2ccbe1173

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.procetfreight.co.ke
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    5VCo+%[lWoqY

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.procetfreight.co.ke
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    5VCo+%[lWoqY

Targets

    • Target

      INV 19003568.exe

    • Size

      559KB

    • MD5

      a887535cacc5f53e18904e84b5936037

    • SHA1

      6f0eece773ad3c0b980b08e9039b085fbf7bce73

    • SHA256

      bcfe28b074cc1d9b0fb7896ee3eb4d28c240bee33cb76578f0f9f1ef90ab92e6

    • SHA512

      6adaeb09c3108db8a4688219fbc2ca1f1eddbb990c50c718c8654d99076496e363857ae1fdaa99ab248385197ada10c577c8d5c91cf6f92d1248af00437e517a

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks