Overview

overview

10

Static

static

Order List.exe

windows7_x64

10

Order List.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9d113bd61ca6f4ccef87a8d750298bd5b0dcd9b5db22f5387cc6055ca8ab20e2

  • Size

    485KB

  • Sample

    220521-n3stzshfgl

  • MD5

    365aac80928a112ebc2bddde21f180be

  • SHA1

    7e7902c1b752f454fd31665b37fdcbe603066e60

  • SHA256

    9d113bd61ca6f4ccef87a8d750298bd5b0dcd9b5db22f5387cc6055ca8ab20e2

  • SHA512

    77ec40e9b7720a4ba69367f49a191a49b8fa4ca7d32cc65560281545d316503aa6b4219a1ad43ee60bf3dd6b0f853cfe290efc0e4e3caf5a5033265f18814fb0

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.thermalinda.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    hJIrKDxj7

Targets

    • Target

      Order List.exe

    • Size

      537KB

    • MD5

      569ac4f4dc8e7e2dc11f261985521526

    • SHA1

      d9c55dcc408349bd94188b3623c6768a8d4f5c64

    • SHA256

      d0a350c1ca56ad366f1f359bb2485422b71168542116d443a402efaf76e60148

    • SHA512

      1ccc0010816fff295407ed3b58905d0fe302cbe4ea1ab6d158d68346673ca476462a5ac50060d22e85e2d419e48abe02afa9a612aeb4f0564da591c55a834111

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Drops file in Drivers directory

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks