Overview

overview

10

Static

static

Tender inq...df.exe

windows7_x64

10

Tender inq...df.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    45dae719b983ccb60c4a86bcc2e56fbbbbaba934246736061df502bdb51368ba

  • Size

    468KB

  • Sample

    220521-axjr8sdhgl

  • MD5

    894d0c8cae25d13a33759d000106f125

  • SHA1

    5d73f87ba9d4147c296d4e1280fe7f5c5cbad4cc

  • SHA256

    45dae719b983ccb60c4a86bcc2e56fbbbbaba934246736061df502bdb51368ba

  • SHA512

    4b43d32ff9f7c1a628b2d16f7c7abaef378b01c50c571df9f2acc0c9142fa1055400ab8edf8f9ed0a0be257fe726c2c08bef11cf2e03f7eb4e9631303e59e4f5

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.greenslr.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    )HdurgF2

Targets

    • Target

      Tender inquiry.pdf.exe

    • Size

      583KB

    • MD5

      508497b3495d5f02ea2258a29000369a

    • SHA1

      74c383eaa63572bc7f8bf99b8ab00c23360b51cb

    • SHA256

      83fa39af770ba4292d5d4ec0f584d6285ac15d7ca19619bbe4dfc2f0287f0a9d

    • SHA512

      3dceced6a3bda7c9465300d79511b40b0cb1126b330360d66be133f839e20a02fb823f116ede13295427e56419adf8e7e343e02662bf2516a81ee12495e9777c

    Score
    10/10
    agentteslacollectionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks