Overview

overview

10

Static

static

Order-Item list.exe

windows7_x64

3

Order-Item list.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    234f6413a29fd682d75e754921a6c5fd19d470cc24835f34636d28f06a0fa956

  • Size

    484KB

  • Sample

    220521-nfskpsdfc5

  • MD5

    512a8fb7b848c5ae125b7a6a8c9a9986

  • SHA1

    c5bf1f837641c84850f2f72b437615485cb55aad

  • SHA256

    234f6413a29fd682d75e754921a6c5fd19d470cc24835f34636d28f06a0fa956

  • SHA512

    7fe60724d079bfa010ba601e2a602fff28bb4e2da115a5d26b96e2728fe2f260703c28c2910d5334256559bc45ff406c8046c186b26c8e085aed6be0fff29ebb

Score
10/10
agentteslacollectionkeyloggerspywarestealersuricatatrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.pkfpmes.co.ke
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    }79ngu!.Bzo7

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.pkfpmes.co.ke
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    }79ngu!.Bzo7

Targets

    • Target

      Order-Item list.exe

    • Size

      596KB

    • MD5

      e50062929312e517c158965db1858662

    • SHA1

      37a0bf7c126c5bd4ab90bb183c38248983cd3d66

    • SHA256

      af905972a17e26abbcdb1b00d7ce10499707d2a3c42f5a9584a4823adf1a1c0e

    • SHA512

      84afc4560779f303e3a4e00dc64aa24bda50eed1ec6711d69917a3a5cf79963fd44829ef9ab6ad260b902052836f28d19c488439f52c2456a88a8c0e4cab0ad0

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealersuricatatrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • suricata: ET MALWARE AgentTesla Exfil Via SMTP

      suricata: ET MALWARE AgentTesla Exfil Via SMTP

      suricata

    • AgentTesla Payload

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks