Overview

overview

10

Static

static

New PO.exe

windows7_x64

10

New PO.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fd5e31dbca53b624ebc1b148be20dc49095914002ff2537b6498b514596c7ad0

  • Size

    445KB

  • Sample

    220521-pdmgcafba3

  • MD5

    a71e5939eaab5b64ae0caa77fd6e5ca1

  • SHA1

    d0b0f173e79f4fb1fc2bee079ec443185d48c2b0

  • SHA256

    fd5e31dbca53b624ebc1b148be20dc49095914002ff2537b6498b514596c7ad0

  • SHA512

    a514c05834c12ca1ce8f26379f835cb2d72166281aa383a6829891d12d06ca4e4b6d7d7c9b05325f13cc617809a133885f8dfe74a8a4a23b2f7ba6977b84e160

Score
10/10
agentteslacollectioncoreentitykeyloggerrezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    logs2020@gtbenk-plc.com
  • Password:
    mkoify147@@@

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    logs2020@gtbenk-plc.com
  • Password:
    mkoify147@@@

Targets

    • Target

      New PO.exe

    • Size

      537KB

    • MD5

      a4352d77906441a3cd97c7d30c7e580b

    • SHA1

      cabb47c10a3c03feb079f8ffb00d655708860fbc

    • SHA256

      39492ca7d000a28c93084709bacf6b19357e7d79a67b3223ae2c7477bc574aa2

    • SHA512

      8c09b2a1f2d5175087af17f57099aabb0429b528d8c279f8f25ba8cf5eb5b6792ef0d590a0c3a78c480bf3e16d774fcd9bde6cd9a649a649a05db8729f43e5e4

    Score
    10/10
    agentteslacollectioncoreentitykeyloggerrezer0spywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

      coreentity

    • AgentTesla Payload

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks