Overview

overview

10

Static

static

SOA APRIL.exe

windows7_x64

10

SOA APRIL.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e0d8264fabf1ca2d192a05422252289a76a594036ebc757e5f9ae69ed83d525d

  • Size

    493KB

  • Sample

    220521-ny2w4ahdhp

  • MD5

    37378ea5d80afa23a1981a9411a0d26e

  • SHA1

    5c6ade0ffaef2e6043ffba23913c4e1783573a17

  • SHA256

    e0d8264fabf1ca2d192a05422252289a76a594036ebc757e5f9ae69ed83d525d

  • SHA512

    db51fbb7a34b09a725c67c891df5e2ed9b98ebfb191e0bbfe79d43da223c2bcf2e2b7242d1e954280106e448dacccbd3ff1d3562891fce8189d898b213ea1bd8

Score
10/10
agentteslacollectionevasionkeyloggerrezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.tolipgoldenplaza.com
  • Port:
    587
  • Username:
    dir.fb@tolipgoldenplaza.com
  • Password:
    Golden@#$2019

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.tolipgoldenplaza.com
  • Port:
    587
  • Username:
    dir.fb@tolipgoldenplaza.com
  • Password:
    Golden@#$2019

Targets

    • Target

      SOA APRIL.exe

    • Size

      586KB

    • MD5

      2a0f351d2091f584260d729a5b278a84

    • SHA1

      d1738ccabebe0c330b5c14505744948a76492ca9

    • SHA256

      0ed8342c19d8ff14d83588ca91cc6b5ab6bd811de15f05e5497d62ba25e56365

    • SHA512

      7ae35c5867ec9c3967ac738484f3ca6994b67154e8873d58a497ba30625ad7a1fb858f3b2f8f1b72bb1c6483bbf2f57df9beaba1f1d42b9cbb47e3602baa1880

    Score
    10/10
    agentteslacollectionevasionkeyloggerrezer0spywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Disables Task Manager via registry modification

      evasion

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks