Overview

overview

10

Static

static

items 001.xlsm.exe

windows7_x64

10

items 001.xlsm.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    733813587f5ab7a88aaa597563ee9e3a566bb3c4c7ad411eab6fb14c7ead28b9

  • Size

    742KB

  • Sample

    220521-n589raefg3

  • MD5

    6e6aaedd1664f5aac665a027c4150bd7

  • SHA1

    9f380510c3a9f6f4b2e1faa62bb2f72cf696916a

  • SHA256

    733813587f5ab7a88aaa597563ee9e3a566bb3c4c7ad411eab6fb14c7ead28b9

  • SHA512

    97d8eb841d00a292eb17b622138a61d0daf5295a84482b027fd762b093431055c358ce1c1ff7aa5a36b6d08842e11cf65428483ad724d7b6ea82ec737b1715df

Score
10/10
agentteslacollectioncoreentityevasionkeyloggerrezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.villanika.gr
  • Port:
    587
  • Username:
    info@villanika.gr
  • Password:
    n2^-9wE@Wl}t

Targets

    • Target

      items 001.xlsm.exe

    • Size

      859KB

    • MD5

      fb7e94850448226bd2a498aa3b1563ea

    • SHA1

      d700879ce59f46b7a774db6e4cb106245971e235

    • SHA256

      2a4411192b4d6c488f67079fa17e4c245825df49a8858fadd887dd616ab1c0a3

    • SHA512

      d43314e5e70070127c60813c026a928f5ee76fd92c94dee516adf6104b59337585fcab030e9678eb2447e67f1e9f355b7c20dc669569f8b1f164feb5dca6c631

    Score
    10/10
    agentteslacollectioncoreentityevasionkeyloggerrezer0spywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

      coreentity

    • AgentTesla Payload

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Disables Task Manager via registry modification

      evasion

    • Drops file in Drivers directory

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks