Overview

overview

10

Static

static

BalPO21504pdf.exe

windows7_x64

10

BalPO21504pdf.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fe95b8e22f7ed52665da4f9317a8a128470052a172513f89cd5c33f7dadc3965

  • Size

    378KB

  • Sample

    220521-pdlvtaaceq

  • MD5

    6abb23580badf0e8d9dd3aa6bb3a2347

  • SHA1

    0db6e50406e11566cb4f26220484de4aceee70b0

  • SHA256

    fe95b8e22f7ed52665da4f9317a8a128470052a172513f89cd5c33f7dadc3965

  • SHA512

    dd7371426896320a77418e96a2ef655434bc0865a8511c6fe2fe46839646139d9177b187bf0a9cb933bcaeeb1d30c1c21aea9386bc25bc5669cca293bfba432f

Score
10/10
agentteslacollectioncoreentitykeyloggerrezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    secure231.servconfig.com
  • Port:
    587
  • Username:
    info@eltaef.com
  • Password:
    eltaefSH6548883

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    secure231.servconfig.com
  • Port:
    587
  • Username:
    info@eltaef.com
  • Password:
    eltaefSH6548883

Targets

    • Target

      BalPO21504pdf.exe

    • Size

      392KB

    • MD5

      26b4ecd94509e28f4ae0fadc37982a24

    • SHA1

      a08b1e93b2f33ed19c7c2d766ba6ec4b12f670c6

    • SHA256

      31f91924abcb4657d19721140bb21db8b517dc6a48830c7c5dc53d819c507248

    • SHA512

      422f28259d188f8d02368c0419eb212e12ca5d657340311ad11732c768dd497665e42e4b6fbc7e084ce7c724e8174551d682801fd9040b4e7f52319b6671a4ca

    Score
    10/10
    agentteslacollectioncoreentitykeyloggerrezer0spywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

      coreentity

    • AgentTesla Payload

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks