Overview

overview

10

Static

static

Catalogue ...es.pdf

windows7_x64

1

Catalogue ...es.pdf

windows10-2004_x64

1

PO.exe

windows7_x64

10

PO.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f510d8c903f78262f15edd2b3c4f1778fb590fedb8d54224da31c6717c9c8f3a

  • Size

    1.3MB

  • Sample

    220521-ndfs5agfcj

  • MD5

    0003f99494e9dc0bdc12bd26c6f754a9

  • SHA1

    a33365e3d18c1f7fc5b93f7fb1ca82bc6219bece

  • SHA256

    f510d8c903f78262f15edd2b3c4f1778fb590fedb8d54224da31c6717c9c8f3a

  • SHA512

    39a12fb7f18dad0671142640d211ddef8e93fd575fbbd299a8b04ebf2f49226f5dd54a38cb0ecb1919044ec56eb3ff7ca9c40f4ab5e45774ff74506cff857e9a

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.cka.com.sg
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    agnescka82

Targets

    • Target

      Catalogue -CIMC Vehicles.pdf

    • Size

      956KB

    • MD5

      d4a1613e6edd72c5428df47a8e723d04

    • SHA1

      ce685570bf27392dbc7b375b6ad24a16a7c1a7e3

    • SHA256

      0f3eb48d8d86128e53b1cbaf4282725f2240000835a538ba41e3b30ea1b79a22

    • SHA512

      c3e0e841d0c3451baf6a3303504497a95625cc7aa760a1e89cea87bbf1e063aebab3c0a9d2ea07ee67dd7c31224f76131045deb13ca4c36d72d54f758b61e032

    Score
    1/10
    behavioral1behavioral2

    • Target

      PO.exe

    • Size

      869KB

    • MD5

      a925cd618ba6ead6b73ded89b70e69b7

    • SHA1

      9a1b4b8e5a3d2d9539205f9c2a3ea96d5f74d5c0

    • SHA256

      547e52557b519e2b169e8a9c5932e2d7ce615ea34d54348d5d87033a545b6362

    • SHA512

      9a96bb6e45fcafe54376b3c923c5db4f71651832bc42897218511b87bbb15bacfafb9059a378d37022fe19b5dff6b78e8013b14262ab907f6d4bc0b051a365fb

    Score
    10/10
    agentteslacollectionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks