Overview

overview

10

Static

static

E-Remittance Copy.exe

windows7_x64

10

E-Remittance Copy.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3a68063195e24c81ff5871a3f3c75053ca9a93131378da60609ac94134a1a5aa

  • Size

    380KB

  • Sample

    220521-n9ldgsaafq

  • MD5

    148f75765e39dcd8263cd6a8f9132834

  • SHA1

    e61a6b352b78f4c1b10010dc7779dc9985a3e080

  • SHA256

    3a68063195e24c81ff5871a3f3c75053ca9a93131378da60609ac94134a1a5aa

  • SHA512

    def3469563bafe2e8a24935b6a07484d50e3d75640a07a37aed738e47b5e0941b8db66b1b7a082efe829c9c747e1cbacfb59f865b271a677304531de2bad9604

Score
10/10
agentteslacollectioncoreentitykeyloggerrezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.bethfels.org
  • Port:
    587
  • Username:
    jamie.swan@bethfels.org
  • Password:
    %C@sFFb8

Targets

    • Target

      E-Remittance Copy.exe

    • Size

      403KB

    • MD5

      561ed534bd9e4061d4b434e4e18b9cc3

    • SHA1

      de3fb19c36a7def9b71198b8fbd3de50afcecfe0

    • SHA256

      aa00c67caa3688bdffc0b6edbb7c4b599c1e18e78c46f917dd28bc521af120cf

    • SHA512

      be6749f3496e2a9b918235233f39ca5a22ca0a43025e0545bde2b8247eb35bb08dd5bc3111ae855adc5a4a0b9d04a6230180d3e8ec3a9599c06e0690afd5b53b

    Score
    10/10
    agentteslacollectioncoreentitykeyloggerrezer0spywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

      coreentity

    • AgentTesla Payload

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks