Overview

overview

10

Static

static

10

CL00485Q19...TB.exe

windows7_x64

10

CL00485Q19...TB.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1ba7e9828126535c018bbce43f186023ca6a306739ec2dd41893888ef3b32861

  • Size

    462KB

  • Sample

    220521-n7sd1shhfq

  • MD5

    12b5f0d4c14fe8024512c4f8f64321aa

  • SHA1

    b2da578741f6fc6a6cb9dfa9362ec68da96437a7

  • SHA256

    1ba7e9828126535c018bbce43f186023ca6a306739ec2dd41893888ef3b32861

  • SHA512

    c6a90db31b3b2841f8803847b4ae5923deca3025147a3699f438e4fd010988255aafd08ecc39c4cff0f3efe6277a4ae270acb06d97c4b5a6eed841a3218da3b6

Score
10/10
agentteslasnakebotcollectioncoreentitykeyloggerrezer0snakebotspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    sologlobal@yandex.com
  • Password:
    amblessed22

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    sologlobal@yandex.com
  • Password:
    amblessed22

Targets

    • Target

      CL00485Q1902589CLSCTB.exe

    • Size

      512KB

    • MD5

      c608f248429afc058f2a9b0ba3a3e98f

    • SHA1

      46b3668dc85850542e96bab175a4c23d34d1155e

    • SHA256

      8d47f598292fe9256f28a9b23751612ba420e885d9cf09fb8d389fb2b53ea5ac

    • SHA512

      7770b281d9d6ef400d476cf78c95e6cc192b2842d7628354df25223e1d45056f60aa11ae22ea0766552eb75cc91c24b79330c8c70fb77b34e3cc83651443040a

    Score
    10/10
    agentteslasnakebotcollectioncoreentitykeyloggerrezer0snakebotspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

      coreentity

    • SnakeBOT

      SnakeBOT is a heavily obfuscated .NET downloader.

      snakebot

    • AgentTesla Payload

    • Contains SnakeBOT related strings

      snakebot

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks