Overview

overview

10

Static

static

9

Original S...df.exe

windows7_x64

10

Original S...df.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e56a94bb7952f514df90db07d5b5c7138e13548f31e6fd4101a02a15988f3926

  • Size

    401KB

  • Sample

    220521-cdpv9aggbj

  • MD5

    9c6e862f7f0c2aa057d0d7d15485aac6

  • SHA1

    5474fe73dbfdc255eabbc6b4b9eba1188a3f18de

  • SHA256

    e56a94bb7952f514df90db07d5b5c7138e13548f31e6fd4101a02a15988f3926

  • SHA512

    f1e8d26eb96884f040ec588a9e344ded98cc0e6e52664305ef06041c077b8ea0f6065c7acb5cffb957442a5f043833cc65033d3db68e0d24fafce72f62525aef

Score
10/10
agentteslacollectioncoreentitykeyloggerrezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.anding-tw.com
  • Port:
    587
  • Username:
    issac@anding-tw.com
  • Password:
    zra1@!G8gQ+i

Targets

    • Target

      Original Shipping Documents_pdf.exe

    • Size

      462KB

    • MD5

      65e731dd7383f50ebb24ba8b68b60fd3

    • SHA1

      4f5908e161d78753530e0e39e7a1fbfd35a1f62b

    • SHA256

      3da52257d2bf11ec3b3616e8a3c5891d2c2fcf1c2195f8b3f083175da57d2eb2

    • SHA512

      1f49ca33289f518fe9714c2ff3b4c6cae804c4f391107a89f4a691cb1e9ee64ba2dc3bda790a2b15a94b09f7575b7e0168cbe89ed586f33dc6815767e690d227

    Score
    10/10
    agentteslacollectioncoreentitykeyloggerrezer0spywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

      coreentity

    • AgentTesla Payload

    • CoreCCC Packer

      Detects CoreCCC packer used to load .NET malware.

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks