Overview

overview

10

Static

static

RFQ_502480987.exe

windows7_x64

10

RFQ_502480987.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    782083fbf59bde49ea9e6fe9b81bd4e2c0caf67d032b6c130d74f4826ba5ed02

  • Size

    409KB

  • Sample

    220521-c7pgksfbc8

  • MD5

    6e3b36d998c7b152d2660b1218d29546

  • SHA1

    cbd4ad1639a8365e27ffc77464ed61d58cdf7599

  • SHA256

    782083fbf59bde49ea9e6fe9b81bd4e2c0caf67d032b6c130d74f4826ba5ed02

  • SHA512

    6e7d0f7439ca894d4544ac5d0a7d469547a70987d6c8ae9b478016f467892c7e2582adbe86e574af9f88d7ee40f2e6aed9cf4480a0d6b4cfbcc71b3af9e5170a

Score
10/10
agentteslacollectionevasionkeyloggerrezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    gatefee22

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    gatefee22

Targets

    • Target

      RFQ_502480987.exe

    • Size

      456KB

    • MD5

      824a7153c1a14e7ddf069f46157a1d9d

    • SHA1

      77116aba7ff9d7ef6a897a904ba8ce03816766e0

    • SHA256

      bacaaa40e0f3b6cba3fc498dfbd6f2d198a767453cd8513acdbafa9fefaeed2a

    • SHA512

      1704738f458c31490359a25c8dd5c25d5201b9c448d4e6ddade8b00871e8348c56095a5d97efbe79288987c11902741ed4e0e3fd3e52172f9e844023f594e1b9

    Score
    10/10
    agentteslacollectionevasionkeyloggerrezer0spywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • AgentTesla Payload

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Accesses Microsoft Outlook profiles

      collection

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Disabling Security Tools

2
T1089

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks