Overview

overview

10

Static

static

KOGAN AUST...ts.exe

windows7_x64

10

KOGAN AUST...ts.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    021167d25d1da6b03b476459604811deb5af5b77c69ba6238b67f85d92f0db4a

  • Size

    448KB

  • Sample

    220521-d5n9gabhbj

  • MD5

    f38ffab3cb06c2dc1f5a6246d417e198

  • SHA1

    49c61a2cf0cd705fc98c15e501691d4f56261237

  • SHA256

    021167d25d1da6b03b476459604811deb5af5b77c69ba6238b67f85d92f0db4a

  • SHA512

    57c86e90268a2d96ffa221ced6efd0a8fb777d61174cb509604112c389d47096900e989c027716e52a38a2c69f43831a9c7a79df5988be359b481272c1583804

Score
10/10
agentteslacollectioncoreentitykeyloggerrezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    premium101.web-hosting.com
  • Port:
    587
  • Username:
    grace@onebillion.website
  • Password:
    I@3Qc&OZDCX~

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    premium101.web-hosting.com
  • Port:
    587
  • Username:
    grace@onebillion.website
  • Password:
    I@3Qc&OZDCX~

Targets

    • Target

      KOGAN AUSTRILIA LTD - Products Requirements.exe

    • Size

      598KB

    • MD5

      67ff8238044496d3fcd0b57fc43720d9

    • SHA1

      a48f4b75b5890d702d30f1f09126e5536edb9def

    • SHA256

      481fe9b310d02dfed2c5d650e64b63bab9021d9c8ece0b90f9a0d474ce6d64e8

    • SHA512

      e0f758d3b69e6a114f5e8e0e53b28563d6af35949178c7c4f8ec4993b9806540b0d18292a3f374bfbe4d08c574142c6df351e2c8fa7665f1d296ce09b0c29276

    Score
    10/10
    agentteslacollectioncoreentitykeyloggerrezer0spywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

      coreentity

    • AgentTesla Payload

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks