Overview

overview

10

Static

static

Reff # PO_...09.exe

windows7_x64

10

Reff # PO_...09.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    81c5ba4cf759965ea48ecd717f58338ab07ff6c40e39be7838904c32333f41cf

  • Size

    398KB

  • Sample

    220521-bsbfqsfdfr

  • MD5

    6825bff20ce80fb66b2ba5f437f8f5d3

  • SHA1

    340029ad943cf796de30e69f2659756edfaad37b

  • SHA256

    81c5ba4cf759965ea48ecd717f58338ab07ff6c40e39be7838904c32333f41cf

  • SHA512

    cbd25a5633f9df8ade2eb446372a0828c024debfddf7cc3c6cbd448643c648d21590b29828d207ea14af8ed949ae5b8d592e33227ae9f5a36601cea4efcb02f1

Score
10/10
agentteslacollectioncoreentitykeyloggerrezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Starboy@22

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Starboy@22

Targets

    • Target

      Reff # PO_67574 SN-3945 187809.exe

    • Size

      519KB

    • MD5

      2937291b0e76f9710529d315a15b2ead

    • SHA1

      4ed50482753f2f5001221c51b291247cd4cd9e58

    • SHA256

      52076bdaeca2aec859341f506d295ab541af5f1454be18dbf869694b613395c7

    • SHA512

      160197e2ef76d7628575a053b59fe92b97e002dae60fb19acbbd971b84395487d622d83c51ec2946e37af04596a27dd0e76e9389cbc60abcd0a745a4ff2f5938

    Score
    10/10
    agentteslacollectioncoreentitykeyloggerrezer0spywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

      coreentity

    • AgentTesla Payload

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks