Overview

overview

10

Static

static

Quotation.exe

windows7_x64

10

Quotation.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fe4c31f5c692b0116431ee5679807971a19d89a2faab54e7c2864f16639458e2

  • Size

    448KB

  • Sample

    220521-nx9kjsecf3

  • MD5

    66181e5843d30fb5da65714595505b35

  • SHA1

    4a2804d186e4a4696162397dbd722759f30fa44b

  • SHA256

    fe4c31f5c692b0116431ee5679807971a19d89a2faab54e7c2864f16639458e2

  • SHA512

    845997fb7cc9c34efbf9e783fb024ca953ee3f00683f2a37af73be3d43e72453a5a7b443295d333f4b123a892d3eff7756c19145d7164ba48ab7292318905164

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.privateemail.com
  • Port:
    587
  • Username:
    maka@wanchuangda.pw
  • Password:
    mmm777

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.privateemail.com
  • Port:
    587
  • Username:
    maka@wanchuangda.pw
  • Password:
    mmm777

Targets

    • Target

      Quotation.exe

    • Size

      858KB

    • MD5

      78832f031eac50fc85ad33b10ab20c84

    • SHA1

      3c33ff149fd9fdbdea22abb85bd84e6ba99e0a32

    • SHA256

      8f29462204ac0f3027f813dc6203a09864d9e54c2de340dfcc2b47d9969bda5d

    • SHA512

      f17de17e828c7aacd7418a214bf679be9604d06ae0ee7af8a2a595dcdb3bfb8ca260b5c22cd02c8be42cadf33c978377f59ae1736b9ffadaec7c46c2c142f9f0

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks