Overview

overview

10

Static

static

5X40ft Containers.exe

windows7_x64

10

5X40ft Containers.exe

windows10-2004_x64

10

Invoice.exe

windows7_x64

10

Invoice.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1a1649fe96f3711a5af037918c440701ac828722879d118e12e761541c266490

  • Size

    759KB

  • Sample

    220521-bxv1yacfd4

  • MD5

    2e22eadb2945460207f501017ff6d6ba

  • SHA1

    e793f18fd7e3699f6602df3865b3746a5a7b4b61

  • SHA256

    1a1649fe96f3711a5af037918c440701ac828722879d118e12e761541c266490

  • SHA512

    165db6e63b56da0690ed10e500610d9885b1619f74d650a34c54bf6c2e67ebacde2ea0d6f811253b3163b7e50ccf22ba73a6c2ed8d54da02c2c7e8f97f9e3d48

Score
10/10
agentteslacollectionkeyloggerrezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    coronavirus2020

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    coronavirus2020

Targets

    • Target

      5X40ft Containers.exe

    • Size

      447KB

    • MD5

      21392c35fff25aa5aca7dd5b38d07db3

    • SHA1

      110c61ea53ecc080b4871b348f4a524ae8723d89

    • SHA256

      cebc844f3daddf87ea7763dafad1989b62052fe2264a4eb2ed9438e67789bc72

    • SHA512

      bdb0501766036cc598350d7450ecf7903881e810e5b8067c0ac723ac665e8570d24ea3094a339dbc01bcb0658b21a36e59553ae3bf4c9c960d756ad1377b60ee

    Score
    10/10
    agentteslacollectionkeyloggerrezer0spywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      Invoice.exe

    • Size

      430KB

    • MD5

      cd9794b192b65afe8eb044f5da433695

    • SHA1

      ce0c3552c8da19531b70150f6e406528c45549de

    • SHA256

      ef96df6ea910efa18ab195dcdc724bb1f405d520862da83da33ce31a7f405c47

    • SHA512

      e246255c1fc3149b1d0312df95721a455b1e084bf79ca561bffffba6b3d286adad21604b6d497c71ebadfdc8e25e14c4e84f2ba28f4fbe817fe011e7ebea0ab9

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

2
T1053

Persistence

Scheduled Task

2
T1053

Privilege Escalation

Scheduled Task

2
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Email Collection

2
T1114

Exfiltration

Command and Control

Impact

Tasks