Overview

overview

10

Static

static

10

PEDIDO#496...df.exe

windows7_x64

10

PEDIDO#496...df.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a0690460355704ff1a35f16f907ed3d4af190b150e8579e70984c0ee484ece8c

  • Size

    329KB

  • Sample

    220521-cwv5zshfgj

  • MD5

    f65099b3ee5e47b049a1191b54ec8508

  • SHA1

    ca806be4311666eb42ed6cae1702c0cef0cd6eda

  • SHA256

    a0690460355704ff1a35f16f907ed3d4af190b150e8579e70984c0ee484ece8c

  • SHA512

    d7ec23fa614bbd3c695d2957740760dbd452cfb5726351d73fd545535d563b70ed33e5de179c4bc6635db1830d8936a5dd99b1625a895fe54b46effd6338129b

Score
10/10
agentteslaagilenetcollectionkeyloggerspywarestealertrojan

Malware Config

Targets

    • Target

      PEDIDO#4965832-pdf.exe

    • Size

      766KB

    • MD5

      cd53bb5a8efb8397089db59307b51406

    • SHA1

      b6749766413cdd7a7c6b58bb1d596a6d4478e1a4

    • SHA256

      d44272fe83f10383b50e8268ffe5f7f70e1c2b355363ccde038172f6a9eb5479

    • SHA512

      5931d2c2966e2ca76ac307d4742acc2847da04bceaf02475e2d9bf0b3e081aeed4bb5caf2396a417bc3194cf6cda4c3d6b38538e75cb5a32a934e6ab62004f41

    Score
    10/10
    agentteslaagilenetcollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks