Overview

overview

10

Static

static

Account Ap...rm.exe

windows7_x64

10

Account Ap...rm.exe

windows10-2004_x64

10

Agreement.exe

windows7_x64

10

Agreement.exe

windows10-2004_x64

10

Contract Rates.exe

windows7_x64

10

Contract Rates.exe

windows10-2004_x64

10

Contract.exe

windows7_x64

10

Contract.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0879e3df000ba3c68fe594767610aa373c7c19053eae0bac04076a76ce8aac38

  • Size

    1.3MB

  • Sample

    220521-b7efyadch2

  • MD5

    8aac9e0a1f733794f64dfd4bb7252732

  • SHA1

    818af7bc947696ffd4ac261e0bbf8577d22bb344

  • SHA256

    0879e3df000ba3c68fe594767610aa373c7c19053eae0bac04076a76ce8aac38

  • SHA512

    a8c09e4e3155f984d6f7b86d07ab835cf343190cb8055bf42e1ec1711f8c59dfd86d1761376e33683674e9826507db5fcf4999ec2727c8e39660ccd1ad66e2df

Score
10/10
agentteslacollectioncoreentitykeyloggerrezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.kteadubai.com
  • Port:
    587
  • Username:
    mujeeb@kteadubai.com
  • Password:
    bt3tw9wqh#B

Targets

    • Target

      Account Application Form.exe

    • Size

      478KB

    • MD5

      7acfdd63ab76c9cf0b2d3be22ecb6fcd

    • SHA1

      8b91ee50f4fc626e750fbf03604ff4683f26d68b

    • SHA256

      0cbeec037901550f7d50076bd0aef2937cafe6699a81c3859c47debd90fee98e

    • SHA512

      072d998c4f9fd03d746b11d86fd8f29709d10445aab600e0af1770d2077fa920259ab6133ede772b27a4949f60782e9daa17e1b1248eec4864e26478981ab4cb

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      Agreement.exe

    • Size

      308KB

    • MD5

      c38d49bb12881d106244f20994b37f08

    • SHA1

      1848f48522f250fe35d2ce0ee77087920a22ad6c

    • SHA256

      b8b648e44f2ab26fa568183e5139a8cdfe5fd7b6b1e174184324fb3056c9ce8e

    • SHA512

      e780fbc6250e07018f03448c8468f8b0836545a4354339d39ac5814f3aaef842cb612e0afe94f0f5a6b90396623ed0f2095d7894cd4aeded88fec9e3c3f5d08c

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      Contract Rates.exe

    • Size

      312KB

    • MD5

      18376bd1c0ad2d6cc811aab96027da5f

    • SHA1

      64be33035c41fcb68a2c1b576286f902e519a659

    • SHA256

      e78e7d17890f956f99183f8524d03f871bce6e82cc1794937d680c4510bb4be9

    • SHA512

      1ed3ba86abdc2c9312a86cd4598d1afcf3adb5ffe816c2fc81b7711b707302f979875b97f5ea4545cee60aa0b24a971331ffabc1a21bef393ab998be4743fa9b

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      Contract.exe

    • Size

      476KB

    • MD5

      e60a1130fe83ba713143af716df21629

    • SHA1

      4a1d99b1bbc69aa67e73f953caf8ba86120f7443

    • SHA256

      b0fc5ca9a05de7084f80988655e413f489556a99e07d5009aee4fb476ce243de

    • SHA512

      eef283520885652bd24785c9934fb645b5cdcfc1f6ff1884744ab528641a1947e5b2cc7009d292a3695499160f5d441e2cade632f65f6d30d749d03a1dc28d88

    Score
    10/10
    agentteslacollectioncoreentitykeyloggerrezer0spywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

      coreentity

    • AgentTesla Payload

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

12
T1081

Discovery

Lateral Movement

Collection

Data from Local System

12
T1005

Email Collection

4
T1114

Exfiltration

Command and Control

Impact

Tasks