Overview

overview

10

Static

static

Payment Slip.exe

windows7_x64

10

Payment Slip.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    82656002fa0a300c1c6dda10d09163a0437d2fcb105b393f0eb9840d6fb056f9

  • Size

    591KB

  • Sample

    220521-ajcf1adbhl

  • MD5

    8868a985145b40c243230722cbe5b458

  • SHA1

    fd77155b9f38d53a56f20c9f71a83f4dbac03f01

  • SHA256

    82656002fa0a300c1c6dda10d09163a0437d2fcb105b393f0eb9840d6fb056f9

  • SHA512

    9e5717074239276bd8d68c79f3f8aad24939238956a6e7670dfeec59fa1a308ad8c2cd92b94ffb11e4c7634e4271e8a54fd39764392764237e412c71a0911d99

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Prince11

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Prince11

Targets

    • Target

      Payment Slip.exe

    • Size

      758KB

    • MD5

      122e2b7c8be6969c167766ec93c25362

    • SHA1

      332ad5ba800c28f51947f61756ae038d990cf639

    • SHA256

      6200afd2e5392b6cd25293e243c1f8807ad920e2c82cae8ddcf7f631edcea0c4

    • SHA512

      99808ec37cac9d2e395161ee00c311afa5fa825f85567dd59e739975215b88691bcc6c868a5db37b065009f40d61d35124dca4b08f43cce55eeee3428934b977

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks