Overview

overview

10

Static

static

PO 20-S880320V8.exe

windows7_x64

10

PO 20-S880320V8.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    40334ab1b1d7fd8436528ea19158f2e133d4e420779f84f1ee16a3d72f5ffb6a

  • Size

    274KB

  • Sample

    220521-n89dxsaaem

  • MD5

    06401efddb6c7058c639113aeb799d5c

  • SHA1

    dddc8fded1a37926372504191b624849274b3eb3

  • SHA256

    40334ab1b1d7fd8436528ea19158f2e133d4e420779f84f1ee16a3d72f5ffb6a

  • SHA512

    484f0c6459ce1a45e68b1a968de5111d19f0416a2add9a4c502cbfb283121b9b5eb07fbe34ad011210416d63a98dbe344e52c07986f628be3cd785afa427f431

Score
10/10
agentteslaagilenetcollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    sales2u-kcom.com@yandex.com
  • Password:
    ALIbaba123

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    sales2u-kcom.com@yandex.com
  • Password:
    ALIbaba123

Targets

    • Target

      PO 20-S880320V8.exe

    • Size

      538KB

    • MD5

      0dde9a7b593ec17d4715dba58e23c2d3

    • SHA1

      53d7d61e107b9b686693a547b1b68cf7aa10dbf3

    • SHA256

      8207b09240b974dbc811f65ba6ce318511c2148c22bcc73c5a35f034ae2bb7b6

    • SHA512

      d98769f562e62f9c722f8cd3ffa839f7ed38a79d6878e61f165e34779df9810d896e1c88366ba88f417997f67e7e0dc36aa7283445fdec4d8ba08576ac4a0e6f

    Score
    10/10
    agentteslaagilenetcollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks