Overview

overview

10

Static

static

Invoices.pdf.exe

windows7_x64

10

Invoices.pdf.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    cc879151b41ce6cca54ebb24cb34f11a06e4f24a187f8b69cc612e68e22d081b

  • Size

    390KB

  • Sample

    220521-nqv4kseac8

  • MD5

    692b47eb2bd9abb628c89a88e9ee19a4

  • SHA1

    43f8aab1eaa3105afb7d858c3173ecc13cc10d98

  • SHA256

    cc879151b41ce6cca54ebb24cb34f11a06e4f24a187f8b69cc612e68e22d081b

  • SHA512

    1d6a339da2e5991bc0bb1625ee149238e8e697393ae5552e426759e0223ef1c0830cf33f8029bd75004deaa6735cd38896105639dfd98c53a5abd8273c12513d

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    henrylogsss@yandex.com
  • Password:
    @vision123

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    henrylogsss@yandex.com
  • Password:
    @vision123

Targets

    • Target

      Invoices.pdf.exe

    • Size

      477KB

    • MD5

      503c9f40d7fa05c4cb20633a6fb4e603

    • SHA1

      90cee96a631330b0a796840693ab93cda15c3575

    • SHA256

      7348aa6bc1128a83b361be3add1588adb8c41cb7e83fb3bf8625d63521da91c8

    • SHA512

      c5ef236679d67c77629ac9a0cb775a5e02080391156f69f6c4e48e9616d6a39afeb59e353702a08c39a114e17049cd200d66655756503dc597a29fbedfa1e880

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks