Overview

overview

10

Static

static

Purchase S...20.exe

windows7_x64

10

Purchase S...20.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0ffd3cc8c5628fff810737b47b2788735af8281dd86c2a6b1695868cfc53eae2

  • Size

    493KB

  • Sample

    220521-pcbcpafac7

  • MD5

    8dc1ab771df2b456ff61bf94c51932fd

  • SHA1

    a7ea762d33da3cd643baece6e3ba0613b82905be

  • SHA256

    0ffd3cc8c5628fff810737b47b2788735af8281dd86c2a6b1695868cfc53eae2

  • SHA512

    b6cd882edc981453d3e37a659e812e49d584cd4f2fa83a70f60ecb880c18722595a6f612b2b707cb57fdfab52770865ebd800ab261a2e43413764fe89e0be45c

Score
10/10
agentteslacollectioncoreentityevasionkeyloggerpersistencerezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.mail.ru
  • Port:
    587
  • Username:
    mikhiliovsergey@mail.ru
  • Password:
    godwill12

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.mail.ru
  • Port:
    587
  • Username:
    mikhiliovsergey@mail.ru
  • Password:
    godwill12

Targets

    • Target

      Purchase Sheet 2020.exe

    • Size

      611KB

    • MD5

      a6619cf730f2e03c81aeb9fefcd70778

    • SHA1

      2dca6afaf991614515c6f4fa59ce32460e0872e4

    • SHA256

      f4ce706bea83c92bea67552077d4b3d9c1d1d58add3d8a53763cd5def3b23138

    • SHA512

      18330333e39596142bada9d13a039e7390946e736f3e214affa626df2ac29eebfa7a0eff9743a2d92d4d1daded98f7eddd6d916874087b9bcf0ac986283c1e25

    Score
    10/10
    agentteslacollectioncoreentityevasionkeyloggerpersistencerezer0spywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

      coreentity

    • AgentTesla Payload

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks