Overview

overview

10

Static

static

EFS_SPEC.exe

windows7_x64

10

EFS_SPEC.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f638b6b5261b1bca1368c299b7b7017360192e19058da4f5079cfb342d0afb63

  • Size

    1.4MB

  • Sample

    220521-blws4acah5

  • MD5

    8aff0ad071fa957af4b4340c067f7320

  • SHA1

    874d822aafb45ae6d967e8d19fc826ad79bad9bf

  • SHA256

    f638b6b5261b1bca1368c299b7b7017360192e19058da4f5079cfb342d0afb63

  • SHA512

    1382eca63998d5ba5f676b84e349185468e21cc0dc0a601d08610516a16da3a315c5e370125bed1391a3c9a6314e6a60b837405de08cf9ea10b53143c5c6a2ec

Score
10/10
agentteslacollectionevasionkeyloggerrezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    business43.web-hosting.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    P04042017

Targets

    • Target

      EFS_SPEC.EXE

    • Size

      845KB

    • MD5

      d51d2bf57db9ce6c54521c328dd5fb28

    • SHA1

      674964135e6b5d1a766240ebd0340a4db0064218

    • SHA256

      cd9b154f848a6f37a110de136034cbf5190600da5687bb6259f19addf2e2759a

    • SHA512

      04be3bb5ae07685b17394c3a322bde994900670b60983e7ead30dbfd7bc9cfec42b81d6c85890be52e618aa74afafc172dbbbfe19b01cc1cd6a4005907825dda

    Score
    10/10
    agentteslaevasionkeyloggerrezer0spywarestealertrojancollection

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • AgentTesla Payload

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks