Overview

overview

10

Static

static

PO NO 00009.exe

windows7_x64

10

PO NO 00009.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    cbb5708461a8021f7492766462fed7a13e7157cb51f11e85276bc57b41d23077

  • Size

    305KB

  • Sample

    220521-nzvt6sedb9

  • MD5

    5831c0eb60ab56c7318067e6a318510e

  • SHA1

    e08ad60ad34bbaea62e6a9d32d9006554b8663a4

  • SHA256

    cbb5708461a8021f7492766462fed7a13e7157cb51f11e85276bc57b41d23077

  • SHA512

    77924bb7d628b848ed6ea8f8c74fd1935b6f8fd9d6b3d96718ea2942ec05093efecd700024f9c7b6278d448b75848721f86d7c41411bc5b953e3bffe0f2ab2d2

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://b7d38dd3.freetzi.com/
  • Port:
    21
  • Username:
    b7d38dd3.freetzi.com
  • Password:
    PNzwaBM2ztqp

  • Protocol:     ftp
  • Host:
    ftp://b7d38dd3.freetzi.com/
  • Port:
    21
  • Username:
    b7d38dd3.freetzi.com
  • Password:
    PNzwaBM2ztqp

Targets

    • Target

      PO NO 00009.exe

    • Size

      493KB

    • MD5

      a78f99ae2ff781bbcdde9ab8d6a0307a

    • SHA1

      67c94c2224fbe7a53b97d56edd6dfb04958d5c8e

    • SHA256

      c3180ff92fcee7ac1aad76d8fe18371a2ae6d0b5bac62da4547cc937dd5f9480

    • SHA512

      fe8e24e7ecd456959209e7e3d471b50b12b0006e5844c0708952335f9cb86bfe5cd639660d407703a0673e706fba91186fc05e467c6db7fcc83322d6c990e280

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks