Overview

overview

10

Static

static

S001002390...20.exe

windows7_x64

10

S001002390...20.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    54f102a5325edc227167444a30568b3eaeb3f8b34d68395b6ee6414d2ade377c

  • Size

    371KB

  • Sample

    220521-b13vyscgh8

  • MD5

    1cd051e2c1a268ed92a8afaf27e6c2c8

  • SHA1

    d312e6a200a49bd8d37ff9ed5e788210c3fdb366

  • SHA256

    54f102a5325edc227167444a30568b3eaeb3f8b34d68395b6ee6414d2ade377c

  • SHA512

    4031c6c8e65a55e51d4554f27988093f0e1141cfa31e0ebd439bba506e29c9e29711b99e5762a77d6fb7be5c797cf6a90b0e58db4282c5602c67fd33da4e23f0

Score
10/10
agentteslacollectioncoreentitykeyloggerrezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.elhelado.com.mx
  • Port:
    587
  • Username:
    servicio@elhelado.com.mx
  • Password:
    4042Ad@+

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.elhelado.com.mx
  • Port:
    587
  • Username:
    servicio@elhelado.com.mx
  • Password:
    4042Ad@+

Targets

    • Target

      S00100239029933-05-11-2020.exe

    • Size

      455KB

    • MD5

      e641c2db9fb60a6fd0e1938bc264938d

    • SHA1

      9719f6b085c88f384190caa4e864f49277204519

    • SHA256

      5a352b2ee786cc795f1384a14290a9bb06db592c529f0f4f50ab7cacd95bd091

    • SHA512

      8bfc54d03cc1eba98576da8f17fdfbcb83ae6908ece722e61b8a48ea38de43d446da669c42b89e462673b976e0e97a1f6908c5d0f287bf3239a2ffa2fd313350

    Score
    10/10
    agentteslacollectioncoreentitykeyloggerrezer0spywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

      coreentity

    • AgentTesla Payload

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks