Overview

overview

10

Static

static

9

Fwd Overdu...st.exe

windows7_x64

10

Fwd Overdu...st.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f7df6e1d0c223b5ab0a09a5427899cf74edb243f55d29f4e8a154dd4e09ca74d

  • Size

    576KB

  • Sample

    220521-n8js9segf8

  • MD5

    e724bfdc0433ace348a13600f1cce9c4

  • SHA1

    52ce8235d48a8e34bf0cba559e90138707709f8c

  • SHA256

    f7df6e1d0c223b5ab0a09a5427899cf74edb243f55d29f4e8a154dd4e09ca74d

  • SHA512

    c1f52db0a9053b59acb0113cc6d1c37e90f8ca20952b45a17a8e184dae8647b1f8cc550b7a02e84f74f7a8f7e1d1a8d90ff0a07f63a2210800ca4e9e98eb0a1f

Score
10/10
agentteslacollectioncoreentitykeyloggerrezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Ijeomam288

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Ijeomam288

Targets

    • Target

      Fwd Overdue balance request.exe

    • Size

      525KB

    • MD5

      327e095912044c837cd14c4790b5b722

    • SHA1

      f2785765bf53962850454c04b2ae9a5781dad2c3

    • SHA256

      d3f1a9f5aee95facc51d611b7deeef7da85a30c028be4a3cc9cd10d0e7bf99cf

    • SHA512

      29dc2737c9111bef912736b698a83e8295201317e8a062b8ec06b72ad4b4a40a0a291406e7f50e0947eeebd236bf2ced81aaf87c954ba1b7efea39c9208a9fba

    Score
    10/10
    agentteslacollectioncoreentitykeyloggerrezer0spywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

      coreentity

    • AgentTesla Payload

    • CoreCCC Packer

      Detects CoreCCC packer used to load .NET malware.

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks