Overview

overview

10

Static

static

TT SWIFT.PDF.exe

windows7_x64

10

TT SWIFT.PDF.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    336770eca71c7ef886e0972687d5d08842eeb3c87554c29c4d7ec1cd8c2f92f9

  • Size

    396KB

  • Sample

    220521-bbs98aefgl

  • MD5

    1a575bcc5418c8f3ca26eddb48b6ec23

  • SHA1

    101e74e6a71f932991cb8eb3fdda1bcad10fb518

  • SHA256

    336770eca71c7ef886e0972687d5d08842eeb3c87554c29c4d7ec1cd8c2f92f9

  • SHA512

    003a089177607fa65362902e9a266d31d278dfa8a1ccd30e2f71284b8c40f4beec863e17152ddc9771686e4bdd3fb242031a6026efb0af5310ee46bd8e9b74b8

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealersuricatatrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.yitaipackaging.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    22799213

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.yitaipackaging.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    22799213

Targets

    • Target

      TT SWIFT.PDF.exe

    • Size

      437KB

    • MD5

      16cead8ab91ee65984e242d25310c8eb

    • SHA1

      56eee9eed7bca79c2380ca2f8b88d5938af3cc10

    • SHA256

      285921447b7223c6f6c6419c9ddfa5d26619286089de7cefa3255aa5f6c3bd51

    • SHA512

      44cc25cb1b8c9e97706455f4de08d0b47dd09da957b4444901091726e74929d55ed8db284c501bd3d8f55af1c3bfdff0a3edc2a2652a50a0ba266b2976b6f9ab

    Score
    10/10
    agentteslakeyloggerpersistencespywarestealertrojancollectionsuricata

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • suricata: ET MALWARE AgentTesla Exfil Via SMTP

      suricata: ET MALWARE AgentTesla Exfil Via SMTP

      suricata

    • AgentTesla Payload

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks