Overview

overview

10

Static

static

ORDER 062920.exe

windows7_x64

10

ORDER 062920.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    757a55b3e779982c16c33116eb2208316a448ec302263ea8a67e6d088434f76a

  • Size

    463KB

  • Sample

    220521-al3qzaddar

  • MD5

    70ec403a10f754002ca06d98696f88f6

  • SHA1

    4a91bdfc48cacaaf7d924d755c9c83774e8a9223

  • SHA256

    757a55b3e779982c16c33116eb2208316a448ec302263ea8a67e6d088434f76a

  • SHA512

    7b95ef49ce133c7602565e4b7e2c353841721b4b4f056bb2153d941eb28a5e1ca2e3c84866a1a41d4ce068fa54ad41f2047f27780587cbcdd46b1d80dfcf45d3

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.mahavirint.in
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    mailok

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.mahavirint.in
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    mailok

Targets

    • Target

      ORDER 062920.exe

    • Size

      717KB

    • MD5

      2ffdef12a916aa08b42431eb1934ce62

    • SHA1

      c2fdff35c21423434231baea7c454143f2ca0339

    • SHA256

      b2d3f04b9fa07cc1efca983cfc40f4cbfccb0b24c7a7fe5acbce0476f8216da3

    • SHA512

      cbb20b5cd81259807729b9678ab2f7c2c0971126306b9a801227814cb1ad57579701727f795550a9088426f478411dff458a4a73d9bdad3f88828dc2e770a7d2

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Drops file in Drivers directory

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks