Overview

overview

10

Static

static

PO #04289 ...df.exe

windows7_x64

10

PO #04289 ...df.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0d52507084f726b46e643eea8661c97e96fe32d094f214bee4cd1dd6419a90d3

  • Size

    802KB

  • Sample

    220521-n379nshfhr

  • MD5

    35548bd08997150c7ea3f219bbc37f81

  • SHA1

    19dcf46f727fb734b7e21c459363d9f78c587974

  • SHA256

    0d52507084f726b46e643eea8661c97e96fe32d094f214bee4cd1dd6419a90d3

  • SHA512

    49a69982659bf6544747596d60850d1eb9d2919e2ba88a19659a8b9593829e3c4e29e381f49cae847a55428a20dba1368a67171dcbf9e8359576c4672dcad11a

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Loverboy123

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Loverboy123

Targets

    • Target

      PO #04289 confirmation Order-Jun-2020.pdf.bat

    • Size

      742KB

    • MD5

      7b96f0538d245bfe7a61c50ec66a73eb

    • SHA1

      e9e29a5b956c7fc5a5986562557909020faab7b9

    • SHA256

      ba30aa707120fb8a73c2e367ca519aa6fd38a83dc74680eeada79a25f5ef2800

    • SHA512

      a7ae5ef2dfccbc940b7aed8443ada3fb5b43150e92c4e8cc895014b38268ff290a7aad1ac3ce6d3f793245b76a18baf13a1a2958ba01b9ea65114873135a7610

    Score
    10/10
    agentteslacollectionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Drops startup file

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks