Overview

overview

10

Static

static

cataloco E...df.exe

windows7_x64

10

cataloco E...df.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    71666c10871dfbddd20d38324509ac33d531f6452a71ae03b48d44f0cd833051

  • Size

    394KB

  • Sample

    220521-amny7sdddl

  • MD5

    2655425ad5ae5a23e53d1a9ccc4efa87

  • SHA1

    3db02d6a137ec90371ef351694cd09fc1c123158

  • SHA256

    71666c10871dfbddd20d38324509ac33d531f6452a71ae03b48d44f0cd833051

  • SHA512

    72b8379148374c453d9ce786cfad9de53d5482743d91fbffe39347777498100d77ad2419c55f46351a0d40b66a5c63b10f1085b09274d18453f20d64e02b838f

Score
10/10
agentteslacollectionevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.cosur.pe
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    C0m3rc14l%

Targets

    • Target

      cataloco ECOR 2 Dl2.pdf.exe

    • Size

      439KB

    • MD5

      4ef34b916c5b6593e719a6b9a17481d1

    • SHA1

      25aeecfaeca807ec26d0ba461cba1c29f8137da4

    • SHA256

      1a5841a21e616296c4aafe372c36998c9e46c1f79513a379e59ee7aedc7a2535

    • SHA512

      a2c3c775b2153f9697834123eb7555c8978c613353291f2eb73b69a5c3675dd37599f9d969d9dec4cb05ef8b30d2cb40cd6e78a8e8b926f98dddd83aa4a44d71

    Score
    10/10
    agentteslacollectionevasionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks