Overview

overview

10

Static

static

Akbank Hes...iz.exe

windows7_x64

10

Akbank Hes...iz.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d81e7da4ac57ac10df28aa44098a16daa02ab180987247de6abc663215a6e604

  • Size

    388KB

  • Sample

    220521-cgr5saghel

  • MD5

    996f03cd5e12be88a95732363abea8f1

  • SHA1

    999e6c1da5791b710a673d369856a9ee6136593f

  • SHA256

    d81e7da4ac57ac10df28aa44098a16daa02ab180987247de6abc663215a6e604

  • SHA512

    ca3bab4058e9de4c370622ac2d8ca3f0f697c631b49a997b3807a8f8d694c8e3fee52471946a31873833950e083d7d4c09b7a5aa6375f821d7f72ff59468f554

Score
10/10
agentteslacollectioncoreentitykeyloggerrezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    off1ce.box@yandex.com
  • Password:
    kroskofile

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    off1ce.box@yandex.com
  • Password:
    kroskofile

Targets

    • Target

      Akbank Hesap Özetiniz.exe

    • Size

      484KB

    • MD5

      3b8a94165d2603343953e2491617f5d6

    • SHA1

      7ba71a7d18927af204e086a8662a93df9e24ce46

    • SHA256

      b36cdef1bf3b71c8edb27b1d2eabaa00b2df89f3a46bc9c727f4dbb6956fcddb

    • SHA512

      445557b0bad87c39ad63598b51e057ec86c67469ab83d46787dea5e66e0b84fcca313f44115e82a24918b533b00a9862c353ff315e5a17645319449dfdf076df

    Score
    10/10
    agentteslacollectioncoreentitykeyloggerrezer0spywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

      coreentity

    • AgentTesla Payload

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks