Overview

overview

10

Static

static

Payment Invoice.exe

windows7_x64

10

Payment Invoice.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6acdb4a3fd233c48f59b7dee0cf9a91a7fc41a64d18b7a5a964f340a306731cc

  • Size

    398KB

  • Sample

    220521-ne9gtsggbp

  • MD5

    19e996d79c88d8e08ede5d107489b4de

  • SHA1

    16b42492e362950da74a7192acb550cfdf3586f3

  • SHA256

    6acdb4a3fd233c48f59b7dee0cf9a91a7fc41a64d18b7a5a964f340a306731cc

  • SHA512

    58b5217c69e0731a7e60137083ddde562e231588b6d94b0d9d7555203af2add2bb082c44e2b4596678f254cf4e777671670660c74d035a2ee023dfd2c28fbe7d

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    mmm777

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    mmm777

Targets

    • Target

      Payment Invoice.exe

    • Size

      556KB

    • MD5

      53ec9b92d822d12887d144d5e2066bef

    • SHA1

      ef55bbcab42a3ef5ee0070adf2b1c176dfeea4d0

    • SHA256

      1a32b479225283f435fe37ea7490bd319063d0cbf88ba6845821aa4eadbbdc91

    • SHA512

      6685ca80b210e740bac3a0910c803b27dac2840a9b17c24dd0256b8afbce7cbb063b713e63f488179979e118434ca8ea49f542f414e1c402f71462897f705d7b

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks