Overview

overview

10

Static

static

9

COPY.exe

windows7_x64

10

COPY.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9ee7f424459fe2f8626518e88f8b280fe7ad77829a440fc66c64e71ed3246bbb

  • Size

    489KB

  • Sample

    220521-pacsqsabap

  • MD5

    43d1fcb04aaf34c5d523236196420f3d

  • SHA1

    db4982b5920c6a9580de878e37ba743bd35045b4

  • SHA256

    9ee7f424459fe2f8626518e88f8b280fe7ad77829a440fc66c64e71ed3246bbb

  • SHA512

    bca9a923fe9ea62ae214479f606ed9ce08e926b935c3db711f4a0933c7723606d3c792a0aa37cdbb1af32ed234b14f90ce10271bc724d64bf95fb8c59ca75bd2

Score
10/10
agentteslacollectioncoreentitykeyloggerpersistencerezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.sanfusin.com.tw
  • Port:
    587
  • Username:
    ab11@sanfusin.com.tw
  • Password:
    philomina1234567890

Targets

    • Target

      COPY.exe

    • Size

      524KB

    • MD5

      a21ce2c71ed22848481762cb30e2e14d

    • SHA1

      bc4abd722a2d078b21e1877a4f648ecb63a3aa8f

    • SHA256

      65fa84dd1967467b1ec2be1efa3562a6a4db188835f3c53517add8fc825a0edc

    • SHA512

      872d1396bb112a6f84b45f2cb847fd4dda1918517c1f6c02ba8b6e8ed50ad17c0013d9ef7e34e807c07454d9b941a02694ad8ff2cfd5a3b2c1e2590094abcf4d

    Score
    10/10
    agentteslacollectioncoreentitykeyloggerpersistencerezer0spywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

      coreentity

    • AgentTesla Payload

    • CoreCCC Packer

      Detects CoreCCC packer used to load .NET malware.

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks