Overview

overview

10

Static

static

payment slip.exe

windows7_x64

10

payment slip.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c6d3f058ae3d3d3609586acdd1fc51d20071dbd048975ca9959fb3d0ec7b7870

  • Size

    506KB

  • Sample

    220521-clpkfshbbl

  • MD5

    f6f1c9e6cacd63700093fb62b0246961

  • SHA1

    e34a536a97224300ff192fad530422feccec47fc

  • SHA256

    c6d3f058ae3d3d3609586acdd1fc51d20071dbd048975ca9959fb3d0ec7b7870

  • SHA512

    aef0520c32c99b7ed9a1ea18fcd3336bb464babfd70f6811e71b58dfa8cca205d1853ed0b0e4d52a7250cd573363711a05a40fc676b655019be06b6d97056623

Score
10/10
agentteslacollectioncoreentitykeyloggerrezer0spywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Blessed000@

Targets

    • Target

      payment slip.exe

    • Size

      903KB

    • MD5

      e44da520fb1bd768b2ecb9de8d4f9af0

    • SHA1

      c736083b2ad0e8b342da8dd18da3f0f65ee2aff8

    • SHA256

      9e4a0e9ca5fc3d99fa1910cd19bd8db39c79ba01320341e5c9ce30ecff9ecdd3

    • SHA512

      e2a3395e6418bdd310044aecd9bfba0d5416c4ebdac0df1991dafc91a09bcbcee3a726845c6b1d42abf95629b73fc22496deb882d74724e6ab7cd1ed878304d9

    Score
    10/10
    agentteslacollectioncoreentitykeyloggerrezer0spywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

      coreentity

    • AgentTesla Payload

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks