Overview

overview

10

Static

static

SCHACHERMA...Q2.exe

windows7_x64

10

SCHACHERMA...Q2.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f53ce702da37fe9720c8ee5e54fae93455516808ca376be2587362b2d6689d1f

  • Size

    265KB

  • Sample

    220521-n8l9dsaabk

  • MD5

    b79ff6ad90cf2219e3d36f3e0fae5446

  • SHA1

    7f96c1cff3356578c658d1ed5bbd1c93ed5032d1

  • SHA256

    f53ce702da37fe9720c8ee5e54fae93455516808ca376be2587362b2d6689d1f

  • SHA512

    5f3a523c4cdfe85468c3d373c7c102cd40071dcaf3fcea6a598af29436458e994c84b45595fd0eaf0c40f9f33531a56169c12ace7cf6b692c5d64d69b3c443e0

Score
10/10
agentteslaagilenetcollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.okgrocer.co.za
  • Port:
    587
  • Username:
    lot1567@okgrocer.co.za
  • Password:
    Theunis@123

Targets

    • Target

      SCHACHERMAYER INQ2.exe

    • Size

      444KB

    • MD5

      8593b1cec0cbf443f51b1be38eaba1e2

    • SHA1

      9ba1e269f69c7a4d3c18d93bd68d6f78b2356687

    • SHA256

      dfe2978764d493ac195ec5a39d99f998c1d69d9f68e25bbbe090d9b2f7cb97c2

    • SHA512

      bb787c21279a0c0686a7def3254ed939390a144ac0264129cbdb5f79e35008487daa3ca99a037ca4027284f0b9fd6a0899850b60cce4640f2970f416e4395d73

    Score
    10/10
    agentteslaagilenetkeyloggerpersistencespywarestealertrojancollection

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks