Overview

overview

10

Static

static

BANK COPY.exe

windows7_x64

10

BANK COPY.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2477df2f4c434194c6fa5c9c7c0369ac4b7ba875ca902e22e813effb53820f98

  • Size

    577KB

  • Sample

    220521-mxhamafgcq

  • MD5

    77b22baf51df4cae4bd09f2e9a3f91d1

  • SHA1

    6682c1156710985f7b10b1d87db2c6986172aeff

  • SHA256

    2477df2f4c434194c6fa5c9c7c0369ac4b7ba875ca902e22e813effb53820f98

  • SHA512

    9c6df830e1269820b0661e4d5eec76893d1c3174a16e744592b63b52dfd602c0c18bc3916eace140c5bf2c5a751a26544bd96f778095b1daa42e38aeca7c845b

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.albaniandailynews.com
  • Port:
    587
  • Username:
    marianakllici@albaniandailynews.com
  • Password:
    125875.jUkT

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.albaniandailynews.com
  • Port:
    587
  • Username:
    marianakllici@albaniandailynews.com
  • Password:
    125875.jUkT

Targets

    • Target

      BANK COPY.exe

    • Size

      985KB

    • MD5

      7caa639b8b264d21417fad8969dfdc1e

    • SHA1

      960ede809b7927dd134620eb88744239826bd324

    • SHA256

      42cca3ae2e4d971b4bd7acc8b205c22ba675aa08b760aac654514c5578d74dc2

    • SHA512

      ba5f61ce73c21fdbc66390b60b2c3f2cdc4a8dfc1ad8b9610c2ecaae3d6cc704fba5a63bd13f52df880b039da5d3bf074f9196c2ab8d9fed8f854bf3a9388d32

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks