Overview

overview

10

Static

static

KXunm5bl8xyHuMr.exe

windows7_x64

10

KXunm5bl8xyHuMr.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2824d2c7625159e8f495f9c1932fc7a51001693713730c9994cf6ec9aa49328a

  • Size

    383KB

  • Sample

    220521-bbz3rsbff2

  • MD5

    48dc41932cc7562759f465c993f3349b

  • SHA1

    60e6b412f31dd0a04c9a27849d51cd1e8e14bed9

  • SHA256

    2824d2c7625159e8f495f9c1932fc7a51001693713730c9994cf6ec9aa49328a

  • SHA512

    59a9f6144ba2d2a31c69027aa2178e9049a7ed3024871000ee0201a0f21cf92da88d826c950c6e85e6c2272ea43434d6005a523b9cf4d155d43f5bb53b102bb5

Score
10/10
agentteslacollectionevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.prismindia.in
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Stencil1@

Targets

    • Target

      KXunm5bl8xyHuMr.exe

    • Size

      791KB

    • MD5

      4288d7a9d8d33f7aa22ad1d73065cf6e

    • SHA1

      8727fabeaa9ae22eb84aec66c415197bfbc3ae8e

    • SHA256

      cdfac7ca69379fdcad030db24eff90d5ee4ef276d450e79bea98793a6801854d

    • SHA512

      31a7402edd996b8f0cd02860fde1aee4ee57404cb76275e1ec05a88f23dadaf85ee85fa7a9b590768a09d1261a9d82a2935517d61af8e1dfc849719bdebb08f1

    Score
    10/10
    agentteslacollectionevasionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks