Overview

overview

10

Static

static

po no 1038...er.exe

windows7_x64

10

po no 1038...er.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    623344972936ef938d926720ffe33dac5ff918a7e5bbab7aaca6611077e723b1

  • Size

    611KB

  • Sample

    220521-btpdzsfecl

  • MD5

    83a32fcd629d41912975dfee3da2e2b4

  • SHA1

    f256499d7691013dc26f292076916ab68fcca95d

  • SHA256

    623344972936ef938d926720ffe33dac5ff918a7e5bbab7aaca6611077e723b1

  • SHA512

    db285b39c0750d09a3ab99e19b34468269654d70a20c6e2d57fcd3217cd31f328022357e2b587c1e27c68a361f16cfe8e6a63169d5fa6758b2a24733b5e29c85

Score
10/10
agentteslacollectionevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    gnaeask@2015

Targets

    • Target

      po no 10389 & 10390 - for 2 orders together.exe

    • Size

      660KB

    • MD5

      3e68b7ef28a3025b722831cd624cb2a8

    • SHA1

      e176e6b0a34ecc203f30813e54a1ab8325297ab3

    • SHA256

      37e399fce2caa80c9ea931f693b51a6d1c11464df1ead916cfca67f6100ad71f

    • SHA512

      31fde62880b3e11a97832e09173231a2f0b9fe035cf04b705fd658be6439b7ffe16711e4fb1b2226b3dd440c1c7bbbcd243f4795cec03c34f8cc6e80edcaf857

    Score
    10/10
    agentteslacollectionevasionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks