Overview

overview

10

Static

static

10

purchase o...99.exe

windows7_x64

10

purchase o...99.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    27c1110123a884666fc61fd77e3ed754676a0f20b03a6aa8895066765a40989e

  • Size

    508KB

  • Sample

    220521-dtzk3agch3

  • MD5

    6c80600231adb28b5d08b0494645c70a

  • SHA1

    b35338fd17b047f9f034c9ab2af23a49403439e3

  • SHA256

    27c1110123a884666fc61fd77e3ed754676a0f20b03a6aa8895066765a40989e

  • SHA512

    09fca7bdd38e0f37e2932bbee9369344bb9a8cb2ad6306830e1def194b691a4956e4571c72154d963f2f1e29083fec23bf3d3a1cdaf0477401db4025b3dad617

Score
10/10
agentteslacollectioncoreentitykeyloggerrezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.suncurepelletmill.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    pellet2013

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.suncurepelletmill.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    pellet2013

Targets

    • Target

      purchase order HB-20-06099.exe

    • Size

      446KB

    • MD5

      2a4f2669b73ffc3bcb1f382774f57c37

    • SHA1

      a5f0968074fae2fa93e10684fc03ec817198639f

    • SHA256

      d2dbb94dedc36a45bd0f528aefae333861935729369b2136b85daa3ff77e4e0a

    • SHA512

      ed1f55a2833460c9fd63d7305661bdab8c362579b630d7d2c05b2585ebf79a69f424b367f115721a3ae59491eef72a2bdd8d600656837921041696a022d35474

    Score
    10/10
    agentteslacollectioncoreentitykeyloggerrezer0spywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

      coreentity

    • AgentTesla Payload

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks