Overview

overview

10

Static

static

Documents.exe

windows7_x64

10

Documents.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ec6241aa9bc5fd1596befd06fe76754d81b689cf2fe0d532c33a28629b9b349b

  • Size

    488KB

  • Sample

    220521-cb5hxsgfek

  • MD5

    82b5091731cdeec5944c5a0a9e8cbc65

  • SHA1

    2cac06f35bf8a5ffb371d653cb87c102697ccd18

  • SHA256

    ec6241aa9bc5fd1596befd06fe76754d81b689cf2fe0d532c33a28629b9b349b

  • SHA512

    3072e073b53ae59ab4a7448aa6a8177ff2c80c8a444f037b511f2da61ec2139db961300998fde649e672ff405e350d69cc4de3505f9508c927a124a1f7832be8

Score
10/10
agentteslacollectioncoreentitykeyloggerrezer0spywarestealersuricatatrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.1and1.com
  • Port:
    587
  • Username:
    usjobs@ramsoft.net
  • Password:
    $Hari@prasad%2020

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.1and1.com
  • Port:
    587
  • Username:
    usjobs@ramsoft.net
  • Password:
    $Hari@prasad%2020

Targets

    • Target

      Documents.exe

    • Size

      542KB

    • MD5

      774ce64540a4a68205bb30634225bef4

    • SHA1

      cf4ff0fad7cfefdec0d3a46ade72ebf3565ba677

    • SHA256

      38a112ac5ecf5d11e3e4f70fe462ec424bd0aa8c67495ac6744b0bbb8082f5ba

    • SHA512

      9175e52fdf3e8a6a4b656a1b0e508d942c782db3e2b8f52e6c1b749c627a9c99e4f1b00b66e8d20c4250f3541e8b8e00f906222f65840d0886632a12c4557899

    Score
    10/10
    agentteslacollectioncoreentitykeyloggerrezer0spywarestealertrojansuricata

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

      coreentity

    • suricata: ET MALWARE AgentTesla Exfil Via SMTP

      suricata: ET MALWARE AgentTesla Exfil Via SMTP

      suricata

    • AgentTesla Payload

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks