Overview

overview

10

Static

static

DHL.exe

windows7_x64

10

DHL.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d705db8b864169f89c2544719290c9a768742fe6767e8d436c8be40ce3d998c9

  • Size

    1.4MB

  • Sample

    220521-nz5dlsedc9

  • MD5

    42b30143eef665405eaa86258e78b286

  • SHA1

    76b7b630a6085dbc5e6685c34e83ab21645e940f

  • SHA256

    d705db8b864169f89c2544719290c9a768742fe6767e8d436c8be40ce3d998c9

  • SHA512

    f431587b57ac4e545f27662b1fee3240410a07862349a0a103f6848c15ca2533a53b94f8fdddc99780351fe731b8527f5432ae5ace406608e87b2112f98ede16

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    mailduplicate@yandex.com
  • Password:
    daddyhandsome1234

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    mailduplicate@yandex.com
  • Password:
    daddyhandsome1234

Targets

    • Target

      DHL.EXE

    • Size

      898KB

    • MD5

      195b2371b4a09b2d9c15ad1172eecf6c

    • SHA1

      f29b535745e31e646baa3d4c11b79e68e5c6c61c

    • SHA256

      7cdb6560b9c8d6abd88e0a6a0c836d8fb50bb3c8f786683e44bfc990031072ad

    • SHA512

      5ee46369bf4329441d45ea55099ceb37c54ca7acc3caeed3fe2ec22eb1880e6287797cf7a6d5df7c28975403b1d5bc5f799ca29f03928d20187a0823e3e418d8

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks