Overview

overview

10

Static

static

MV TBN PDA...df.exe

windows7_x64

10

MV TBN PDA...df.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    93ed7ebb924f2b3efb476e6d30a3d26ae59c95fa7020c5d60bd7c65b00891377

  • Size

    536KB

  • Sample

    220521-aep7asabb9

  • MD5

    c324e6d021b720d2d92c59225b912655

  • SHA1

    29b0dc93d729ac0dd8d3438b4d68c849a792bb7b

  • SHA256

    93ed7ebb924f2b3efb476e6d30a3d26ae59c95fa7020c5d60bd7c65b00891377

  • SHA512

    9a919e184a5eacbfd10f03f5999b505b6677fc6a990fed7359057922ab042deebaaae13e3e5fe5a7173992ba654826d22472945afb18fa596299a755c9707cb7

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    fingersawumen101

Targets

    • Target

      MV TBN PDA REQUEST_pdf.exe

    • Size

      757KB

    • MD5

      0adb8c19202510c5012d95b4ca515618

    • SHA1

      6fb960b0a5fddb3db605e237b5996afc7414a813

    • SHA256

      96d028a9dd05d0cbc03a7308fa10d516aca5b5628fef5aecef021181e6c1ce93

    • SHA512

      ca135188c906672cce5958ade0538df6bee92dacbbc58673d1fc904e9a4b777073afca934ab29fb93afd16f4cf93ec6b01f9dacfbd8d2bf7fc4bd4b1e17ae432

    Score
    10/10
    agentteslacollectionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks