Overview

overview

10

Static

static

RFQ_C73639811.PDF.exe

windows7_x64

10

RFQ_C73639811.PDF.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    98d8f300efd4db1cfc1db9a28904bbf273b38534b416fbd7d3d78885cc73d014

  • Size

    400KB

  • Sample

    220521-cyfs3shgcq

  • MD5

    2d10396286e546b8ecc44648173ed22a

  • SHA1

    d51a4151b3c7a57542b5908cf344bf02d76fbb82

  • SHA256

    98d8f300efd4db1cfc1db9a28904bbf273b38534b416fbd7d3d78885cc73d014

  • SHA512

    02cd7c0fffdb4b85575490f1a785d24bf1d0b47cf4bfbce3fffbadf59247dd76318c1f12cc2feb4859a87fcd1b162cdfa49107a96d087412e44ff6e973723c25

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.cdldxy-cn.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    SSzps(s5

Targets

    • Target

      RFQ_C73639811.PDF.exe

    • Size

      436KB

    • MD5

      6f5505f192e637d38811991f4f62b81a

    • SHA1

      055e0e03018b75b39a551b754f4eaad8067e6481

    • SHA256

      d872c84aaa87d90521400f1d6052524e0d2256b3d865aeaad679beea3919a49e

    • SHA512

      82adeb010bdd3674b77bc930b7608e2bdc50a14309b42ea91c57f91225173cf23e417af50525ee40f720e025ad3ff68e3025a23c163e284eef33badc230a1017

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks