Overview

overview

10

Static

static

DIAGRAM.exe

windows7_x64

9

DIAGRAM.exe

windows10-2004_x64

9

INV45367.exe

windows7_x64

10

INV45367.exe

windows10-2004_x64

10

PICS.exe

windows7_x64

10

PICS.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a8592530826bffe4e397e6f53054c366cef50d567bc9f54ddb4c4a960cb21537

  • Size

    2.1MB

  • Sample

    220521-ct1yfshefr

  • MD5

    6f38eaad5b00fbe6b3798cec38e8f6ec

  • SHA1

    48f126f2629b8c5498453ab198b138ee3911ea75

  • SHA256

    a8592530826bffe4e397e6f53054c366cef50d567bc9f54ddb4c4a960cb21537

  • SHA512

    8a07cc61287634452e38d977b0ed87ab09a508e381a5ca8d3e7502f1abb4fd3130ad804d9f94c621b0b28c2c9d9086daec7b431b23fbc23d8bfe1cb5f1c0c790

Score
10/10
agentteslacollectionevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    z123456789ok

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    z123456789ok

Targets

    • Target

      DIAGRAM.EXE

    • Size

      666KB

    • MD5

      4f356846f7030367803453f210306628

    • SHA1

      960fa757fdb7f628facb24b8b686f20c2fa79382

    • SHA256

      f7cc73c4bd3b43e1c4be82c8ea43d8db9bd170acc78031e83f8c71277a2d8990

    • SHA512

      7ff8bda0b221bacb3b9c1d9e41e7331374963d51f4e96dcde3e99d477aef8c8d2985144110313415c624bd5c8e48188ac81456396748b1d549a19b68aff9ab86

    Score
    9/10
    collectionevasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      INV45367.EXE

    • Size

      441KB

    • MD5

      8dfeeb5848cde9dfd0aa8c504eefeda0

    • SHA1

      8db0db50f886d43665351dba54fca2652d1db18e

    • SHA256

      07314d5b91857ca3814c9388a01179c00d6fd8aeb8ff93a73327cffce42c8650

    • SHA512

      d4d0b26035da900546be561b4abde39346309a7069ce58ea0faeb4c9dcdd32aea15880333d937337b62b55510924acc239b98bd119d3cbb087095a2e0222acce

    Score
    10/10
    agentteslaevasionkeyloggerspywarestealertrojancollection

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      PICS.EXE

    • Size

      431KB

    • MD5

      c4996221c4549bc88d77fd2f265e6a13

    • SHA1

      8516f1e99b52e4f22f3c4ccd75d7858c669375d5

    • SHA256

      396f3200a662d0bb44c36326b2501aac7eddb8117b78c956d1569a9d1e83729e

    • SHA512

      953f70203797dc35b9bc1e479baf25d417674dfc6c36fc6325caf7f54bfcbb81633b15849efe4c3ee4277b3d1873abf4325bf3c38fb159ee4b036c976726dafe

    Score
    10/10
    agentteslacollectionevasionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Scheduled Task

3
T1053

Persistence

Scheduled Task

3
T1053

Privilege Escalation

Scheduled Task

3
T1053

Defense Evasion

Virtualization/Sandbox Evasion

6
T1497

Scripting

1
T1064

Credential Access

Discovery

Query Registry

15
T1012

Virtualization/Sandbox Evasion

6
T1497

System Information Discovery

12
T1082

Peripheral Device Discovery

3
T1120

Lateral Movement

Collection

Email Collection

3
T1114

Exfiltration

Command and Control

Impact

Tasks