Overview

overview

10

Static

static

10

INV#NO.12KF61.exe

windows7_x64

10

INV#NO.12KF61.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c9138e38bf7241d2d79afb9b4d326a92d3bcf27cc9f032b3d2d02b6d943a1542

  • Size

    265KB

  • Sample

    220521-nz1qesedc5

  • MD5

    2b2613a47291de32f7564e174124255d

  • SHA1

    bdd8cd242c70f90eb203d79f6d087de0e8e83caa

  • SHA256

    c9138e38bf7241d2d79afb9b4d326a92d3bcf27cc9f032b3d2d02b6d943a1542

  • SHA512

    7ee87a3c08810051513dbade55e333673c5efd4d985b00855ee4ee0153ecd4281c837f3f4545808ee6abb38b53c98b49debe5fa30c4231b444702af67f83b4cb

Score
10/10
agentteslaagilenetcollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Targets

    • Target

      INV#NO.12KF61.exe

    • Size

      621KB

    • MD5

      9d2482666eb2b88666a0d8ef8f103b7d

    • SHA1

      7c2a5b3606803049eedf92bdd184c601b22a46cb

    • SHA256

      3c165962ade84ada408c62730f36f4885ceede2f15aaa3de5e0f2d20fa204eb8

    • SHA512

      13f7e932db8725d0c9eb6b634a52f87fe10d2ea534e8499e902d82ea5382118df4b37de40578c73782a95ba0488d044425e011a29535aab2bdde8f2eae17588a

    Score
    10/10
    agentteslaagilenetcollectionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks