Overview

overview

10

Static

static

ORTHIN RE3...42.exe

windows7_x64

10

ORTHIN RE3...42.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    26b9dbe45e846a4d27ed41fd308be0e031fdbf9f2f742bdc95ab8625ab73f4a2

  • Size

    467KB

  • Sample

    220521-dt6z5sbchq

  • MD5

    26130af3bbbf95a8918390d115f86007

  • SHA1

    e9a5f0e9d42bc4ce5a864fea0015030619c6111f

  • SHA256

    26b9dbe45e846a4d27ed41fd308be0e031fdbf9f2f742bdc95ab8625ab73f4a2

  • SHA512

    51b711439b4a618af65a8df52db094b59ad139c7c47ba9fdd04e8314bfd7c152401f420d0a1c9cef15dec0f016dce9cb6725ddd598aa318702042cebadbaf015

Score
10/10
agentteslacollectioncoreentitykeyloggerrezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.climasenmonterrey.com.mx
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    donttouch@00

Targets

    • Target

      ORTHIN RE303543 RE3542.bat

    • Size

      592KB

    • MD5

      ffc45247ab0320341d6e017077be0fb3

    • SHA1

      aad7e9a69dab1c5e35df8dde1e3136d8731df981

    • SHA256

      2ac203d2ba2fc79f4fa43ea2fff3b6e2d9a30bb8d73f6c809c50f8882913b373

    • SHA512

      182bc8566bee01d5c55fff04e488267001a4ade177820b2db6814fd4b4b72157cf2846df80ffded3227d9f6a77f14fcdcb05edc86ac963ebd8d3e4951a952c18

    Score
    10/10
    agentteslacollectioncoreentitykeyloggerrezer0spywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

      coreentity

    • AgentTesla Payload

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks