Overview

overview

10

Static

static

FINAL SHIP...CS.exe

windows7_x64

10

FINAL SHIP...CS.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    67d91c5221480de0bacdc3dd366e4712a1e0a76ebcbfeb02830a139b85f4f522

  • Size

    452KB

  • Sample

    220521-apg9fadebm

  • MD5

    392e72f9dde8b716b8853f9990d34816

  • SHA1

    5792631aaa327d372ac8daec34846582501d0127

  • SHA256

    67d91c5221480de0bacdc3dd366e4712a1e0a76ebcbfeb02830a139b85f4f522

  • SHA512

    e508227c560b2646c7ca1fa0229ea97540a4dad92df58ca704bc0e46adeaa866ed80351d489b76e3fab9b216d439efe333475c16ab21e106136f804a7ad603da

Score
10/10
agentteslacollectionevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.el-sever.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    admin123

Targets

    • Target

      FINAL SHIPPING DOCS.exe

    • Size

      711KB

    • MD5

      7e55d24c0f8c1eede0c92de6eaf638f2

    • SHA1

      4ca3308afd73d550567395fbb10e1f9a5400ba5b

    • SHA256

      606d39731ffeb838a7e31286cf75dba0c3ac101984e9c95cbeafd284d5e25671

    • SHA512

      3a8136603025b2bbb3bfe13dbcec068196db19fa3f4353d3af9de19f76f471324137737aceb3b6a1111f525176e587d7f0d81b998b44ad31dbf848fc0de3936d

    Score
    10/10
    agentteslacollectionevasionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • UAC bypass

      evasiontrojan

    • AgentTesla Payload

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Bypass User Account Control

1
T1088

Scheduled Task

1
T1053

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks