Overview

overview

10

Static

static

9

PAYMENT_.exe

windows7_x64

10

PAYMENT_.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e807d4714f17e7a6461c0ccc29279ff2861e976b05ca8cac18b3581f2a22503b

  • Size

    1.2MB

  • Sample

    220521-ccyrrsgfgn

  • MD5

    445394ff2482ed73cb3e3551517b06eb

  • SHA1

    9b576d183fb7f3234a8a256bf1104d2c83bbb218

  • SHA256

    e807d4714f17e7a6461c0ccc29279ff2861e976b05ca8cac18b3581f2a22503b

  • SHA512

    27acdc8a43743e897eb000d8cdce893183e67b4a47af2ec9ce8d1c62e68e7a600b899f668918e04c7bfeed158c3d1ea678174f2b48777691cca774050b26bc58

Score
10/10
agentteslacollectioncoreentitykeyloggerrezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.orientalkuwait.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Operatingmanager1&

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.orientalkuwait.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Operatingmanager1&

Targets

    • Target

      PAYMENT_.EXE

    • Size

      467KB

    • MD5

      d2a853f4673bcc9b9b2d17989cb3ba53

    • SHA1

      cee8b196927b10efef3d4efd36a0570f861a0ee0

    • SHA256

      c340fad2083b06131ba9375a8a9a90a71a7b5d9d6153a4c50ab4df210709af7e

    • SHA512

      86bc93532b0ce626548d928b7fd0643e6a428243abf5398528a375302592753ecaeb3c2ed2e01180a79dc2180bc35b5903a02a994211241849b2da3fb888be62

    Score
    10/10
    agentteslacollectioncoreentitykeyloggerrezer0spywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

      coreentity

    • AgentTesla Payload

    • CoreCCC Packer

      Detects CoreCCC packer used to load .NET malware.

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks