Overview

overview

10

Static

static

payment sw...ml.exe

windows7_x64

10

payment sw...ml.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    613ffa6fb0f9965935297490a3ea5f63c8f870201ec304321e3812f5518c840b

  • Size

    407KB

  • Sample

    220521-nxpv5shdck

  • MD5

    730801fffb828d44f1acdda7881a4054

  • SHA1

    7ad7d7e760573ec10cd911e5e0f56e59191827ad

  • SHA256

    613ffa6fb0f9965935297490a3ea5f63c8f870201ec304321e3812f5518c840b

  • SHA512

    43acc2f70a4b46505fe28aa3be326bef6f838d6b59a78811dbe0f38286bcb0055cb6279435144676873c6f34d792e3a67607ae692ba94b334c7aba334e40b4c7

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.himdiesel.com
  • Port:
    587
  • Username:
    accounts@himdiesel.com
  • Password:
    hdes@mhe

Targets

    • Target

      payment swift copy -html.exe

    • Size

      699KB

    • MD5

      09a08a29118e5b3e384fc7aaeea99efd

    • SHA1

      cbeadbda9e2cd9f4eec994fb2f484f8db868f34b

    • SHA256

      f08ce88e79b97af9335ba57148285d21ec9527019331f78279d0f19c25a4f211

    • SHA512

      b11eb80cb67e7bdbb91a48dce36d2d61817045b396847cf23d5f5dc5eb40229d7fbc4ce99c10b27aba62b025b872be366fabb442ee21eda707f5b979e3349c3e

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Drops startup file

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks