Overview

overview

10

Static

static

payment.exe

windows7_x64

10

payment.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bcfd4926d980339e5b2532aae3f2f5b18fe3ec68117e5887eb336d1ded541687

  • Size

    646KB

  • Sample

    220521-nd7a3sdef5

  • MD5

    a0fd9efe320e7f13def90718e7247e08

  • SHA1

    f517eb38628ede8d380a5428f27a6b9600cef8e5

  • SHA256

    bcfd4926d980339e5b2532aae3f2f5b18fe3ec68117e5887eb336d1ded541687

  • SHA512

    1a967cd62544402ab1e9e8c9e6ccff28fb242e547f5a900fb49d6cd2559f88f0a8acbacb781b74b3f5a483c6e7ff51317d01d112baa3c14b647c842cfd1240d5

Score
10/10
agentteslacollectionevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.temakaw.com
  • Port:
    587
  • Username:
    babul@temakaw.com
  • Password:
    Ef@02441678

Targets

    • Target

      payment.exe

    • Size

      831KB

    • MD5

      c8677f9ced0a242bb49c3134abcbb4fe

    • SHA1

      865119d268a63941b71d0ff31edf597c396b03a9

    • SHA256

      7734e25db8cbf20b6c2d907fe0d9bb77bc797849ad456de9a930a19e27e2212d

    • SHA512

      4027c57919c10d34a5e209be46c97e579ca546571e7e1e62674a589aeceda3805891c3d0c114f438f754888c7b36fc15493c9d019df62618a4a7484a690578a5

    Score
    10/10
    agentteslacollectionevasionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks