Overview

overview

10

Static

static

9

Akbank Bildirimi.exe

windows7_x64

10

Akbank Bildirimi.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    db9e101a455cc5601582e029cae66c9d79c9042da5a0faf20aa145e47fd8f42d

  • Size

    496KB

  • Sample

    220521-n85ezaeha4

  • MD5

    b0d4920c81b2b52f8c711eda531f38b8

  • SHA1

    eabf83ded0901a19ca41d5a9f9532daba2c737bd

  • SHA256

    db9e101a455cc5601582e029cae66c9d79c9042da5a0faf20aa145e47fd8f42d

  • SHA512

    71ec196c094179201e7a9a30707c6cdbda72eae2ed6ee5f891c9cca223bdd076a5cf92258af90f53779e18259f80d76930ea1d97ef1d4f4c4fd1fa8689e2bffe

Score
10/10
agentteslacollectioncoreentityevasionkeyloggerrezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    bin2laden@yandex.com
  • Password:
    gatefee22

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    bin2laden@yandex.com
  • Password:
    gatefee22

Targets

    • Target

      Akbank Bildirimi.exe

    • Size

      530KB

    • MD5

      6864baa092a9d571a6b2b90994695ec8

    • SHA1

      360b38f1050fa182cb4c579dd7af60d784d3f543

    • SHA256

      6c731b9e623222de40d78c857573d713bafce156a4b42dd445a840fddfe585be

    • SHA512

      91fde501a8d514ff2ffeb12d0deb7721c372ccbf657e962e4ad5b35f0500a6fb5aa7e1b150ea4042ded50d7e898b5e8f432c8ee5ef931a08462a314cc4e5dd80

    Score
    10/10
    agentteslacollectioncoreentityevasionkeyloggerrezer0spywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

      coreentity

    • AgentTesla Payload

    • CoreCCC Packer

      Detects CoreCCC packer used to load .NET malware.

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks