Overview

overview

10

Static

static

Payment Copy.exe

windows7_x64

10

Payment Copy.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    eeb4319818959c111beae9f0bd038991b41a9294c50700c6390ce9fe5490fb74

  • Size

    424KB

  • Sample

    220521-pdy55sacgm

  • MD5

    8744c132c480a768be02b78b7578d88d

  • SHA1

    5396ef0eb79dc941602e6fc7cdd8055119ba0099

  • SHA256

    eeb4319818959c111beae9f0bd038991b41a9294c50700c6390ce9fe5490fb74

  • SHA512

    dc7b7325831bbac23b168f70c70f102bf2992eca1b8ab632b7cc1778dad507be1da5ddcc87d278e369e534f6fdb071a9b94566c6651b0f358cd2e77f237d81e4

Score
10/10
agentteslacollectioncoreentitykeyloggerrezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.ru
  • Port:
    587
  • Username:
    alexisborris@yandex.ru
  • Password:
    @Veronica24#

Targets

    • Target

      Payment Copy.exe

    • Size

      447KB

    • MD5

      6ad7d8bf86c04715891b54cd2fe4a3de

    • SHA1

      01417971637c349319d11de98c48f92c3eab6d50

    • SHA256

      637b72e82538b767707282db37c0f960aa60c72e3c44c76ecaf232a9c105bf41

    • SHA512

      79945668bec8fc41fd54169117aee755c74fae765398d92c2afccf45ed4e326a799015cb2cdf107618a4681648ad2246820916d37e57411f3c776c5bc88c6e35

    Score
    10/10
    agentteslacollectioncoreentitykeyloggerrezer0spywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

      coreentity

    • AgentTesla Payload

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks