Overview

overview

10

Static

static

anoop-image.exe

windows7_x64

10

anoop-image.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    30fe459f5e08e16ce1b4767bc7080f614fb68b07996eabdc342f2ad2e29e69d1

  • Size

    327KB

  • Sample

    220521-n93b1aaahl

  • MD5

    737577ba0c05ab3b290f1fa45a174371

  • SHA1

    1be96f777117fae958240b7a69471fb4b8292e30

  • SHA256

    30fe459f5e08e16ce1b4767bc7080f614fb68b07996eabdc342f2ad2e29e69d1

  • SHA512

    ab9a7f2066203cce8bbf17ee7e9cc6bc1e982ff4a3630b5ca3eb774eaba747fff41171f1748d1f7610292957db05146640e4bcc23e70531d29a55799973c1bd3

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.bnb-spa.com
  • Port:
    587
  • Username:
    inform@bnb-spa.com
  • Password:
    }iPxp@l#21aE

Targets

    • Target

      anoop-image.exe

    • Size

      380KB

    • MD5

      c6a87ef3094310256f6bd31b4042f0d2

    • SHA1

      66788fdc33456b12d4c143ae3ba7cd177871b2a3

    • SHA256

      9c96c661ea6c6727f05c88372021bb8abad1fc17cb3e0253eed15d1cd15c1b67

    • SHA512

      0411e1f5ff3411c0cf31011f7ad4b0a133afafdb6dd37bd25948e22b10134d368a47dea6c79eea929dc9232a8e9d8afa602e286d480849ff84c75123d379e28c

    Score
    10/10
    agentteslacollectionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks