Overview

overview

10

Static

static

c635h0xsMSHcfHh.exe

windows7_x64

10

c635h0xsMSHcfHh.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    cfbe31fb23e2883dfe7e375b40c17c8d666e44f3d814b44f504792000c2b54d7

  • Size

    399KB

  • Sample

    220521-nbe4taddc9

  • MD5

    22d2033c9b8a7a30cbdf8f8e6ee60b8a

  • SHA1

    42c3ba5c623f8687d0e902b76d8f06062bd8f80d

  • SHA256

    cfbe31fb23e2883dfe7e375b40c17c8d666e44f3d814b44f504792000c2b54d7

  • SHA512

    b63e05aa1f39ba08e0cdc418025bb657761956e356932e2f8c114be7d13abc41ce96de9c5311ca36306f1aefd423c26bb017431f8a7f3be33cd668c606e32e38

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    accounts@emiraticoffee.cf
  • Password:
    kelechi12

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    accounts@emiraticoffee.cf
  • Password:
    kelechi12

Targets

    • Target

      c635h0xsMSHcfHh.exe

    • Size

      484KB

    • MD5

      52115771fbb6cf6c19efa25341659cc9

    • SHA1

      c8467e8567e39b6ba7b854ba616fb2d6b1ae6dcf

    • SHA256

      56d3195601565b122137b9d48f27db87d1cc83da7f5aca7720d128cf2044cefc

    • SHA512

      fa38ef613adc5a4344ba469daeef3336629465def1eb24dc71cf3d45d90181d096c49c2581ecf1dc5e002b06658e8bfab4f4c1c57d1b9fda1971fc22c607ec00

    Score
    10/10
    agentteslacollectionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks