Overview

overview

10

Static

static

80120-DB00...DF.exe

windows7_x64

10

80120-DB00...DF.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ac6e15c510c0cafcb1fa803876b7f0dd762d9146ed798a9fc292a41c2b2fb36a

  • Size

    378KB

  • Sample

    220521-pgvxwsaecq

  • MD5

    9fa11ce416b52621665418022409f4a4

  • SHA1

    601cf00cb66b591255940a5c0e0e7611d4dfbd11

  • SHA256

    ac6e15c510c0cafcb1fa803876b7f0dd762d9146ed798a9fc292a41c2b2fb36a

  • SHA512

    954c39adb760fa7b622cd3ba11423511ccf89535fa9f2e12cbe623b15227ea3f0ad630d0e0c10a51c1fa18cd19e67b86c4fbb3edca8e5661fb95cf8f9a5bcef7

Score
10/10
agentteslacollectionkeyloggerpersistencerezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.aquariuslogistics.com
  • Port:
    587
  • Username:
    ajay@aquariuslogistics.com
  • Password:
    AQL@2019#$

Targets

    • Target

      80120-DB000372 DATA-SHEET.PDF.exe

    • Size

      419KB

    • MD5

      4b5d862141ef73fa863e0d4efaf9325f

    • SHA1

      014bc77d51c332e3d4dd584a6d9083dd20001079

    • SHA256

      4625689b86b6899465896135d652868b259732b5a82b0645959384c66a35428a

    • SHA512

      36e6eec475ca3d82e1430d9ade252a0e867f68e0717bc0581126151f734f8f4ad226f9f13037b5e85e9a5022ee08e7b950c6ed9de1aabd8dd54b0abd01383678

    Score
    10/10
    agentteslacollectionkeyloggerpersistencerezer0spywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks