Overview

overview

10

Static

static

FIRST PURC...ER.exe

windows7_x64

10

FIRST PURC...ER.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    94abed46afe11eb72f0a0ddc6d5a2d81e0d05d5fa4e3f5763a96de00af8b7106

  • Size

    538KB

  • Sample

    220521-aelh4sdaaq

  • MD5

    8e5cb756f8082b0416762cff5472fa22

  • SHA1

    fbf6237751bd43ebbcc0ca88a23e69874f21fc8e

  • SHA256

    94abed46afe11eb72f0a0ddc6d5a2d81e0d05d5fa4e3f5763a96de00af8b7106

  • SHA512

    0c648aea7564d9e377ee7c0b10c9d04f2a8c970aedbe201a90db7be76875cf7ac314c1f0057a1ad656d1a701b451c140e8e08afb3ef0315f56dbd8db235bb827

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.varda.com.tr
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    varda9997929

Targets

    • Target

      FIRST PURCHASE ORDER.exe

    • Size

      1.3MB

    • MD5

      e07c6e6de63bdd8421c369c9a39037fb

    • SHA1

      480ea048101330927ce18c105c70a0dc4505a7fb

    • SHA256

      3638d193b36a335bb93dc5f978fb5dc35c23a73d0e6c62a4316181286dc3cb57

    • SHA512

      e82fda2359558e731db3fe83c8e6b2ec51f197efda9f8bd393e2978f414091faea4af92393463e4dada4c5c8fba3e77dbe47599a3b56548870c642b86b98ba73

    Score
    10/10
    agentteslacollectionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks