Overview

overview

10

Static

static

BANK_PAY.exe

windows7_x64

10

BANK_PAY.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6c413e49fed9fcdea95ca989436a01df16d69051c2dfccc838f941074902d911

  • Size

    1.2MB

  • Sample

    220521-antabaaed9

  • MD5

    1a65e789518974db7060412cf54a0a59

  • SHA1

    a9f52ba569cc556bf24d742597ec042d9697e3ed

  • SHA256

    6c413e49fed9fcdea95ca989436a01df16d69051c2dfccc838f941074902d911

  • SHA512

    854cb03010adec0c43bd4cdc11aee8b5a68284c6e535d783c54cef2c214d22b80fab2640117e47babdc49528d272c08a2f602e6de27c4eb8632b5826da50c0e8

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail-out.cytanet.com.cy
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    signs606

Targets

    • Target

      BANK_PAY.EXE

    • Size

      467KB

    • MD5

      20758038b5d11ae2ecaafdb53924ad88

    • SHA1

      4de4617c58f33df35899bd1ac6a2fffe377dee46

    • SHA256

      bc07064a72812e0bef060dee9886ba7d06969c22a6ab8459f2682441142e8dc9

    • SHA512

      e048585b935312f3b358517b925877635c7e1bd5d51dd47f63fec29b88e7145df59e94fc03ddb0c4b8670f71807e00f5505835d9962f2d29fbdbc339087541fa

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks