Overview

overview

10

Static

static

ORDER 062920.exe

windows7_x64

10

ORDER 062920.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    92afd7e1c0f53f85f3a62bd54472966546a6d87e517c4439ba26ad1431235ccb

  • Size

    410KB

  • Sample

    220521-ndbt6sdeb9

  • MD5

    3584ebbb4876d596b8c558d594c99280

  • SHA1

    f490c143ad4af88a7dd90cae03094b1d3ff09b6f

  • SHA256

    92afd7e1c0f53f85f3a62bd54472966546a6d87e517c4439ba26ad1431235ccb

  • SHA512

    2f9ce4209609e635a4002c1312cd3cfc8034052938f6602c662627f40b7db279abb79783b8b87b0aa379bbfe90bb0166ff5fb43f7e14a15bf1843a3d724c779f

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.mahavirint.in
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    mailok

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.mahavirint.in
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    mailok

Targets

    • Target

      ORDER 062920.exe

    • Size

      475KB

    • MD5

      1ac44ab27bd3611122ec00dbeb27f775

    • SHA1

      3f534c105ccfa16d1c91cc81db1793cbc25572f2

    • SHA256

      d1b548cd7f6dfff33fc925d0cbe43ffd4a533119635b07978ce146c2a113d4a1

    • SHA512

      c03be94812c7fab93f0e8bd08ab5df29d8e2a7980ea2158d7050a9719906f14bc32da4e7f3f3f335e11497c2bdbbbf8dd1081df05d81b66e6461f03eff9b9f7b

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks