Overview

overview

10

Static

static

REQUEST FO...20.exe

windows7_x64

10

REQUEST FO...20.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    121bca15983a8662d14929daf34b98104b260cd5acab341c616257addf62ccf5

  • Size

    515KB

  • Sample

    220521-bybcxscfe9

  • MD5

    dba6f7c382e64d7cbd24d73629bda0f3

  • SHA1

    68ce7a465139c7937887eb8512f0d0545e739b14

  • SHA256

    121bca15983a8662d14929daf34b98104b260cd5acab341c616257addf62ccf5

  • SHA512

    d4656d2b80dec8f466b72810f0e72ee40f610a8ed3c96cb48f48f973c7d801859aaf5c46d754954e71c59b02f26c267925edab1a0f0473e10d1ce86444ba089e

Score
10/10
agentteslacollectionkeyloggerrezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    EQQDdWP2

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    EQQDdWP2

Targets

    • Target

      REQUEST FOR PROPOSAL - KHAI QUOC TDR-05052020.exe

    • Size

      599KB

    • MD5

      99f2fcd36d14a8993a1f5af2cba8d2ed

    • SHA1

      acfad8fb18e290240ddc2be6157057e2a89d5bb9

    • SHA256

      27ef45a0e5db4ffe4e67ae3ce507aaf93e5618df7a12f1d443a5aea81cb2a895

    • SHA512

      8fe37906c97bbc4f6b440deee253c7068b43e7f6a0363c014b542bca41d2231fda6454bbcfd99af67108b758a6ca515a9cb996ecabdde7e1b432bbed4772dcfd

    Score
    10/10
    agentteslacollectionkeyloggerrezer0spywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks