Overview

overview

10

Static

static

10

Our New Or...74.exe

windows7_x64

10

Our New Or...74.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    59312a8eef959c8eca21fff286c08394070e543e592240f1d449fdecdfd07ff9

  • Size

    265KB

  • Sample

    220521-ndhygsdec8

  • MD5

    576f7190530f8d45a16e57507a128acd

  • SHA1

    4dce5e601ce3551326dd28a13af33d450fba4018

  • SHA256

    59312a8eef959c8eca21fff286c08394070e543e592240f1d449fdecdfd07ff9

  • SHA512

    250b799520bf02681f04b27db84aa6307bb6ae10fac312841c38cc4dc1a790526b92e3f0240b810f650998b5265d0e99276ac5930fca433a81ee1b3398ed204d

Score
10/10
agentteslaagilenetcollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.beljemi.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    b3lj3m10nl1n3

Targets

    • Target

      Our New Order No. 1557174.exe

    • Size

      611KB

    • MD5

      961c2a4e14c037bc861773116def6845

    • SHA1

      13a12f088a978abcee89c9c1fcfb7683e6386572

    • SHA256

      35b3e5e01f043f68124bd73648b43058c80ac091b0dd1106fd6b78ac843a9beb

    • SHA512

      7539ac726bdd8e3d89600758cefa50bda19bd22422b73716cceda2574b4ff24d3f3ad7492533d0d392d183e055a47d3a72d59dada26c7deb6097575b0f846ebf

    Score
    10/10
    agentteslaagilenetcollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks