Overview

overview

10

Static

static

0020027409...20.exe

windows7_x64

10

0020027409...20.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2a81e1b21490ca5ff56b391e976f82de11e3dccda04456fddf045e8e0318eb10

  • Size

    379KB

  • Sample

    220521-dtg11sgcf2

  • MD5

    1903b49d4a2500d404bdcd9f1506bfa5

  • SHA1

    5b2f06a0680d88528139995b8b2c77a635e20a70

  • SHA256

    2a81e1b21490ca5ff56b391e976f82de11e3dccda04456fddf045e8e0318eb10

  • SHA512

    3bd7dcd1baf98d0aa2a39cd6819363ac5abc67e441ff241cb162bd95dfb9d729b8b6068f99501a25628f222b2fa1a40dc44b28087b181d1212e539f46d114415

Score
10/10
agentteslacollectioncoreentitykeyloggerrezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.elhelado.com.mx
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    4042Ad@+

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.elhelado.com.mx
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    4042Ad@+

Targets

    • Target

      0020027409011933_05-13-2020.exe

    • Size

      402KB

    • MD5

      fbc66dd14f31214c68d15659f71219bf

    • SHA1

      36301d647b8549e60564c34063a4a8a7b7bd1b76

    • SHA256

      3e2931cb793d52c5e3253abd7efa9c5c5da9fe766cc93a012ff784fe48694c7a

    • SHA512

      578e2bad1dc7a5775d4b13b34cb75d054d554de7f53aa8cecc2f85bff594abd43a63fc9d1e06ba90745f225b3a17bc7fe40e78c0e2c13de51dee7240aff5c0d3

    Score
    10/10
    agentteslacollectioncoreentitykeyloggerrezer0spywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

      coreentity

    • AgentTesla Payload

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks