Overview

overview

10

Static

static

proforma i...sx.exe

windows7_x64

10

proforma i...sx.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ad6ad515ecb5dd94594d406307c329bb85036d010a92e6b039a2d98c8d8636e3

  • Size

    354KB

  • Sample

    220521-n2qy1aeeb3

  • MD5

    0c49df0369373a8e27a94f68245411fd

  • SHA1

    10502abc3b03e56c11d30f26ded5260bd6063fda

  • SHA256

    ad6ad515ecb5dd94594d406307c329bb85036d010a92e6b039a2d98c8d8636e3

  • SHA512

    f818af89da2dcdf1cb59e66bd8a32a833b0c69338dd960288454575c2d9ba33b47c91477958c611ee793f68b479c8d36913d6575e1d8f4fd61c2a9c39af69e26

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.sna-peru.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    7U11*m3r3

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.sna-peru.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    7U11*m3r3

Targets

    • Target

      proforma invoice.xlsx.exe

    • Size

      444KB

    • MD5

      3c631db82599efa6af78c04361cc90d6

    • SHA1

      987c847bd243e8cbd92f7394853e8a07e1b75a62

    • SHA256

      01c471329aeb0abda663f25bd5d0cf03cf0fd7d50bdbf31598c2ad47189289d1

    • SHA512

      59ce2fdb745c0e9ac89166a3972bfeb1eefe6d14ec4b26c66282961b7663e3f34152e4f0d1d65f45b2b90758d1199de957b8ba59747b8f3550bbb5143bea9f97

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks