Overview

overview

10

Static

static

ORDER FORMi.exe

windows7_x64

10

ORDER FORMi.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    13d2cbbbb33951c21bd06e946dd2eaf5945f678bd0f5e62a09c1b0a6765ccda1

  • Size

    667KB

  • Sample

    220521-nhs91sdgc3

  • MD5

    e9a4c88c152b984c3538028f3ac72688

  • SHA1

    1c489a639854a0f0eaa8077e9f0ba38f387aef61

  • SHA256

    13d2cbbbb33951c21bd06e946dd2eaf5945f678bd0f5e62a09c1b0a6765ccda1

  • SHA512

    de0ce28431b5018a5f9993b1676ef4daf9f2b3a19bd3649b2a3ea22c092297bd5ac99a718d988acc1aa284622887c6a183c85c1495889ef3c4fbae4131a40503

Score
10/10
agentteslacollectionkeyloggerrezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.radiomeff.mk
  • Port:
    587
  • Username:
    wc@radiomeff.mk
  • Password:
    qazwsx@11

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.radiomeff.mk
  • Port:
    587
  • Username:
    wc@radiomeff.mk
  • Password:
    qazwsx@11

Targets

    • Target

      ORDER FORMi.exe

    • Size

      965KB

    • MD5

      8d7345631f4f346895f98240c6ec5059

    • SHA1

      2e2c1602160bf5c26b4107f1b0ca15fa7354f4a8

    • SHA256

      310357fce084be8373ed754c4a6ea2fb426d90aac3d1fb1fffae16b63051b9c4

    • SHA512

      982b410e447810109c8f95e554ddf4b4e1b8135f8d228b0273a0f61c20e4f9b3e3e037d98b9441d5d28ae820a098ee19d17476526813757b0160be19b213c96b

    Score
    10/10
    agentteslacollectionkeyloggerrezer0spywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks