Overview

overview

10

Static

static

ORDER NO. DC08021.exe

windows7_x64

10

ORDER NO. DC08021.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8ffedf5e468337d6420f1f3f701222dd2578474ebb2efbd545430560558b12d3

  • Size

    533KB

  • Sample

    220521-afbqasabd9

  • MD5

    0e3bba87f2463f2ce5365e92d54842a1

  • SHA1

    ec9807db0d14694d8b3ecc31be51d4f94670b8ff

  • SHA256

    8ffedf5e468337d6420f1f3f701222dd2578474ebb2efbd545430560558b12d3

  • SHA512

    b6b58a46058f5f4b1b6d5a82155a743ffef1360afcca9e09481ba2ce4eba3174a9f1fca3f330a43dfb7645fcd196fdc302e1a444d8fa1b3204d405e650cd7a59

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.kohinoorribbon.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    ashu@1976

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.kohinoorribbon.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    ashu@1976

Targets

    • Target

      ORDER NO. DC08021.exe

    • Size

      693KB

    • MD5

      d45c4fed12f1ff0cc6332b1141d0b435

    • SHA1

      3ef534d2d63cc3e13c99fedebe980f52ff05ee38

    • SHA256

      7d45448bfe8b015e4c529ea7c1898c7a311d8ce42eb208957113735c5b750335

    • SHA512

      00059cbbb1f88bde4c3860c40a822e35e93128e91cb889ffeb03745dae7b7a1a8bd472b086f1abfc2567392137080fa15c65ee031c1ada6a3c0e112a6b3f326c

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks