Overview

overview

10

Static

static

PO copy.pdf.exe

windows7_x64

10

PO copy.pdf.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    59cb7e6648d619ee4714e52d2b027d4249b115eacab21cea287f87d08a3aeea0

  • Size

    482KB

  • Sample

    220521-ashdlsdffm

  • MD5

    703d02578bf5ec6c26fabb949f1e4970

  • SHA1

    df060cb6f229f83329a8aac47e23a95036f838c1

  • SHA256

    59cb7e6648d619ee4714e52d2b027d4249b115eacab21cea287f87d08a3aeea0

  • SHA512

    65fb106d293821b767f9723e92faf20bd0a2fb3813555ebf94d141d8acc168b179375b89294ed9a20a7b9f643390a867b3e69f09f68c30e5c22b200908250d48

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    chibuikelightwork1

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    chibuikelightwork1

Targets

    • Target

      PO copy.pdf.exe

    • Size

      600KB

    • MD5

      3fe5438b138021910261a11d1ade22f2

    • SHA1

      d24100a23ab25530b24196718eccb0b17b80cc0a

    • SHA256

      86eb9ef9abcbd21df6bed4743efd0c879ba62127b73a0dc5194e0ee758038628

    • SHA512

      d31311738b33b6197795c889cc07793f02f0b501ec622c4948b7c9432fc14c41ff712bd7d81942ceca3f153e1184314cc3f8490eb9e37552af33781a522a9ff1

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks