Overview

overview

10

Static

static

ORDERlist85398pdf.exe

windows7_x64

10

ORDERlist85398pdf.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e493e036c04f67ad8a5828c677951868f3d3f9a16133ea7c8f0812592a6c1546

  • Size

    447KB

  • Sample

    220521-pebq8sachr

  • MD5

    8af57b83e7b2ca748bdb94be74c26a83

  • SHA1

    5e539db706b2d1e5dbe871af4460ed499a1e305e

  • SHA256

    e493e036c04f67ad8a5828c677951868f3d3f9a16133ea7c8f0812592a6c1546

  • SHA512

    88f56216c36fbc41e54122020daa76c087e31fc2d041827933324259b4bf30fd9529276bc1f19d38a0320ab976b7b54692d3a624824c8d84351ec28cfaed5e58

Score
10/10
agentteslacollectioncoreentitykeyloggerrezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    secure231.servconfig.com
  • Port:
    587
  • Username:
    info@eltaef.com
  • Password:
    eltaefSH6548883

Targets

    • Target

      ORDERlist85398pdf.exe

    • Size

      522KB

    • MD5

      7ad886548166e2b8367171f5f9d22822

    • SHA1

      481bac80866886055838cb358528fe0971b1ac3d

    • SHA256

      b7482c61434635d571649f327745f55945828178069d73bf9d1bb9298e8de89c

    • SHA512

      bc8a37eb67bc8e9ba3c661e757980a3b1aceb204dcd72fc37fe8e309c7893d4f04b5aa695f6378a0628a3ce6f59d3faef3352ce436d343a056722b3b72657ecf

    Score
    10/10
    agentteslacollectioncoreentitykeyloggerrezer0spywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

      coreentity

    • AgentTesla Payload

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks