Overview

overview

10

Static

static

BL.exe

windows7_x64

9

BL.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7ff7c08013b3021cb330d6a3ffbced5725b4ba2354b4c16acb061f02c0bbe73e

  • Size

    555KB

  • Sample

    220521-ajvmksdcbk

  • MD5

    3d5c764704c7b1a2b4add952b6521ba6

  • SHA1

    f77d0aa790bc4118c0e2a5c230366ce95143e3d2

  • SHA256

    7ff7c08013b3021cb330d6a3ffbced5725b4ba2354b4c16acb061f02c0bbe73e

  • SHA512

    84946b522c5d7a3d21f0f7761b35a801c6ba36ca98231063c830e3f536e1e6d9343917baa4e0eead787319162ae9ece375a4977f6d60b64113f1fc43de63a03b

Score
10/10
agentteslacollectionevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.eidtravel.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Core2020C

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.eidtravel.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Core2020C

Targets

    • Target

      BL.exe

    • Size

      709KB

    • MD5

      ef56f3579d0622ac4240e009bfc3d87d

    • SHA1

      79afc3a7c52547895a536904b4d46113ef9fae03

    • SHA256

      f5f2f940a9d18cd7406a220801fb04eb500df3bf2ef8e73a110e7bd27bd7f860

    • SHA512

      0566b9ecdb8ffbd6da446c20dff14f32f16a910294d6a635ac8fe9675423b2e97615aa0435c9fe390819b981cbacd3f49ca922cb16789143f02d6aa6f7ea2d70

    Score
    10/10
    evasionagentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks