Overview

overview

10

Static

static

Purchase I...ms.exe

windows7_x64

10

Purchase I...ms.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    afe952920d9aa2aa21f0d361b42a6ed91ecf28128d040f5c8dfa3e0e833a6e06

  • Size

    527KB

  • Sample

    220521-ncvwnagehn

  • MD5

    71745d26a170b2951bc7185b6024949b

  • SHA1

    4fb951e731afe74e8dfe97027b34559f1d80883a

  • SHA256

    afe952920d9aa2aa21f0d361b42a6ed91ecf28128d040f5c8dfa3e0e833a6e06

  • SHA512

    d6ddcaafabe9b8790c17d08ec97a250dfb8eeb08e1cba282055d6ecdfedcb94714c41829433ac035ae31db54b2a9ccc6c606de4f650268716c66e20a565ceb06

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    server122.web-hosting.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    OJZg,yx3yFHQ

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    server122.web-hosting.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    OJZg,yx3yFHQ

Targets

    • Target

      Purchase Inquiry Datasheet Of Listed Items.exe

    • Size

      751KB

    • MD5

      98946b57d66c04e46436391548532eb5

    • SHA1

      1714075095b72a5d65299c2ffdf50fce6373f0b1

    • SHA256

      c1f797506aa00305f7d7df4ef9933904a58c03c7da3f5a20f9087279ea71a1d6

    • SHA512

      eab717b0e5ae002e3291f30fd10af7b09d259ef1bc74a688d7f88ff6d2463a89998ddef5855830187e8a9e6055bcc7a5f2933f86ba6811f61ed3142595a02869

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks