Overview

overview

10

Static

static

EUROCargoF...20.exe

windows7_x64

10

EUROCargoF...20.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ccf7a39b671a887f52335591049453adcca65863fc1b8edd1828d552c23d1ab2

  • Size

    391KB

  • Sample

    220521-ckfadseae7

  • MD5

    8120add2a389c13703a951ca66400777

  • SHA1

    e89f952697ca071ce245d39fcdcbe6204836e2e9

  • SHA256

    ccf7a39b671a887f52335591049453adcca65863fc1b8edd1828d552c23d1ab2

  • SHA512

    4e4fd8d6398204c9a409eeefb2478cd246856e55058e2629894206c91c59034c1ff4ae870019ac2ef0eded1abd8f13d1a1f256bd4f4d763108720461583a4fe2

Score
10/10
agentteslacollectioncoreentityevasionkeyloggerrezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.karmachalets.co.in
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Akshya@123

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.karmachalets.co.in
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Akshya@123

Targets

    • Target

      EUROCargoFO0005962320.exe

    • Size

      424KB

    • MD5

      02ad34cc75ffd8091df65b7f4c0b0ab4

    • SHA1

      e264c9a14bd91153edf3b35773011bc5b912b48d

    • SHA256

      0fdd378395c3c909429366bdd2d59fc8d2a04e47d9954b101da81be15b583c77

    • SHA512

      58e8bad4fbd0dd000ac0dd4f109647baf72b16920b973008c43d0023ceb8cd91628222eb3ce196d25d1ceca36b240a592d40151fe831a6ff73675c83859f6844

    Score
    10/10
    agentteslacollectioncoreentityevasionkeyloggerrezer0spywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

      coreentity

    • AgentTesla Payload

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks