Overview

overview

10

Static

static

10

Shipping D...ft.exe

windows7_x64

10

Shipping D...ft.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9872404dec861a257b694f7c41f7f8b54cbbbaeea302162ba5c376fe130c461e

  • Size

    256KB

  • Sample

    220521-cyldkaeff9

  • MD5

    9c9f8cf7097e424198669caf94cb4937

  • SHA1

    15866cee76cc25a94b7e11617a014b933953770d

  • SHA256

    9872404dec861a257b694f7c41f7f8b54cbbbaeea302162ba5c376fe130c461e

  • SHA512

    9a137ae1a4d757e803244d6867558f1f8fddc1310ba9c83a5dbc5188e429c40961074cd39e42a7df90c6b10f298e9355e81fe3855575a7130f7ad50ee61b9beb

Score
10/10
agentteslaagilenetcollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.flood-protection.org
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    kelex2424@

Targets

    • Target

      Shipping Document PL&BL Draft.exe

    • Size

      625KB

    • MD5

      64e4d4aa0542e49e9b08868b241e70db

    • SHA1

      8267f4704aabcc486762b13d91e3130b4e75ba10

    • SHA256

      3bae40f4ada889d55841eebf00744c945343094c081c35c146de733313d9d516

    • SHA512

      47ff8f59cf1e427d7bf77950f2004b167272da31a923e6f83ffd5c75d1b7c8e8ac658f4b2ed12621cd2f14e8b654509769935d3e201e55541e221e22fd99b582

    Score
    10/10
    agentteslaagilenetcollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks