Overview

overview

10

Static

static

10

NYRNC20042...al.exe

windows7_x64

10

NYRNC20042...al.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c93b2e5437769a30e512a711ca27632b529736967d1c07b5b497eb9944f70374

  • Size

    390KB

  • Sample

    220521-ck634shahk

  • MD5

    ba1dcc0f74dfef6cf5661a21169ab63b

  • SHA1

    e7df8c5cef47ee32ff495e320dc2d11802cb9301

  • SHA256

    c93b2e5437769a30e512a711ca27632b529736967d1c07b5b497eb9944f70374

  • SHA512

    25946590742712ed1c53a56005d739d3f791e10dfa069734966fe5a5570b45ed5d9e4762b85353451b3c1eb13181abc8936e0de19e43a393c984ca9272d97c2b

Score
10/10
agentteslacollectioncoreentityevasionkeyloggerrezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.karmachalets.co.in
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Akshya@123

Targets

    • Target

      NYRNC200420511_FreightArrival.exe

    • Size

      446KB

    • MD5

      4e94b9a3025122a9949b79b37eeb3cff

    • SHA1

      a298bbb92765a40d6229da48b5c6c0edbc70f510

    • SHA256

      cb2792644a81d965b332d8d165e1e6f75894b43942a33d7e367f9b3a36d4a2bf

    • SHA512

      8551ea40aa3ee4dfc119b4560bee1c6a501be24b53f209e6b1672902b37a063cdd859822ba5793383ef679364fadc672b03c5752915f5404c75be74bef6678f3

    Score
    10/10
    agentteslacollectioncoreentityevasionkeyloggerrezer0spywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

      coreentity

    • AgentTesla Payload

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks