Overview

overview

10

Static

static

Purchase ORDER.exe

windows7_x64

10

Purchase ORDER.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9e985c343835204f9a3754f1f4afae132b2acec6f91ea6af8fe63e22cde4dccc

  • Size

    384KB

  • Sample

    220521-cw8q3sefa9

  • MD5

    fdf760439844895828727d262484e648

  • SHA1

    15abece73fb1bf56dfd419fccce6d4b84285ed90

  • SHA256

    9e985c343835204f9a3754f1f4afae132b2acec6f91ea6af8fe63e22cde4dccc

  • SHA512

    a47db9cabd30da6536868cc91939c8baf530d6bde585915908a0ab265bffd277c6508ec4bdd1099ae4b96fa9f689ba42971cd37a4c3fceec670c6ea20bb0ec9b

Score
10/10
agentteslaevasionkeyloggerrezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.samudrapanel.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    weslali234

Targets

    • Target

      Purchase ORDER.exe

    • Size

      418KB

    • MD5

      9379b0be7d5f7bdf52de8bcaf7cb0822

    • SHA1

      0f6fae2ae2a8919646b035fe5a61c3b5a03c6267

    • SHA256

      ac2aab6531d925758d42b868961baac85fba5b02343b50597f820f1cf7c60e0a

    • SHA512

      04597f30ccebf497d54f3cadcb8a5a2833a7bf4cbefa99081db1ff995a5e501d01b4f8c934066938e818ece731b2c48fb9517b4b1c49a429a630f05cfd49f99a

    Score
    10/10
    agentteslaevasionkeyloggerrezer0spywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Tasks