Overview

overview

10

Static

static

DHL_PACK.exe

windows7_x64

10

DHL_PACK.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    75f6f20718312c0ff205aa976d495a1e47fb3c7d3ac614320d5045d98ea86e9a

  • Size

    1.2MB

  • Sample

    220521-pj7z8sfdg8

  • MD5

    04449bb8a34f2cb689d31a282c6a62bb

  • SHA1

    11401d899c0e1cdbf4f4a2fe3aa57f65ebfe673c

  • SHA256

    75f6f20718312c0ff205aa976d495a1e47fb3c7d3ac614320d5045d98ea86e9a

  • SHA512

    8c9715c86fc2dd1a462cf388cc69b4c132bd783a7e54d0c6884fd3fdf48944e171b563b439dc6ff4a6623e8a2bad07824d213dc6eb4697112128215045027a43

Score
10/10
agentteslacollectioncoreentitykeyloggerrezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.ru
  • Port:
    587
  • Username:
    surelylogs2@yandex.ru
  • Password:
    uzoma1989

Targets

    • Target

      DHL_PACK.EXE

    • Size

      393KB

    • MD5

      30f866d96f91763ce18e90684b8fc9df

    • SHA1

      cf78a4e3ca271270e3063afe251b9130b1e097c2

    • SHA256

      9054664b281021c3f1b59d7672f3633994256697514d2b810e1607541c553212

    • SHA512

      f7bb9923f5cb125fc8d8b8beecc3571fb13aa6ad4b8d973d4b83a16e451f48de1042f65c806677edce4ad11efb0e0311a9b7868edd82d7ed2b79a52a80e1465e

    Score
    10/10
    agentteslacollectioncoreentitykeyloggerrezer0spywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

      coreentity

    • AgentTesla Payload

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Scripting

1
T1064

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks