Overview

overview

10

Static

static

inquiry_05...sx.exe

windows7_x64

10

inquiry_05...sx.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3fd79827f1a6997012f6cf1a69bcc6e939f4792e6fc08c08ad8202cd660eba9f

  • Size

    375KB

  • Sample

    220521-ayvwwsbad2

  • MD5

    7bb3326443f0fd46217fcc24dcd7f2c0

  • SHA1

    c4a31ac061afa14b10734359e7578d8aa7ef18a9

  • SHA256

    3fd79827f1a6997012f6cf1a69bcc6e939f4792e6fc08c08ad8202cd660eba9f

  • SHA512

    a8eb0127409a5de4c60b766e81c583a6619735b81de012e086cb6d1e2f3a43411d59251098266f0e0e35561f4e5fecd596f2c346a68a906d4723b80d363b9a36

Score
10/10
agentteslacollectioncoreentitykeyloggerrezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    335410

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    335410

Targets

    • Target

      inquiry_052019_list.xlsx.exe

    • Size

      399KB

    • MD5

      43728c30a355702a47c8189c08f84661

    • SHA1

      790873601f3d12522873f86ca1a87bf922f83205

    • SHA256

      cecdf155db1d228bc153ebe762d7970bd6a64e81cf5f977343f906a1e1d56e44

    • SHA512

      b2d0882d5392007364e5f605c405b98a375e34dec63be5d16d9fae374313336fa13edbb6b8894334afb409833ffc0dbbc9be3d7b4263bdf5b77dbff9f2182e1e

    Score
    10/10
    agentteslacollectioncoreentitykeyloggerrezer0spywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

      coreentity

    • AgentTesla Payload

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Drops file in Drivers directory

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks