Overview

overview

10

Static

static

ORDER _# 6...8G.exe

windows7_x64

3

ORDER _# 6...8G.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4414c64ea8d943a2df9a5200f059db1d4e344afdcc561dcc86678ff5ea1c4ea7

  • Size

    452KB

  • Sample

    220521-pma5nsagdm

  • MD5

    3cb474cb96cf4808979870e6519bdf1f

  • SHA1

    e468aa021349f5928915ad97ff3fff5701d4dbe4

  • SHA256

    4414c64ea8d943a2df9a5200f059db1d4e344afdcc561dcc86678ff5ea1c4ea7

  • SHA512

    563a5efc4182f46b2a8353d876552e4452347f12ed4dbb5325aed952ec4ed3de7abe6e08987cad5645a7eb745e6233d4401efd1f2b8931b23c78915dcf55e2a1

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.privateemail.com
  • Port:
    587
  • Username:
    ceo@sktech.club
  • Password:
    1234567890Bless#

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.privateemail.com
  • Port:
    587
  • Username:
    ceo@sktech.club
  • Password:
    1234567890Bless#

Targets

    • Target

      ORDER _# 6WHQ492788G.exe

    • Size

      841KB

    • MD5

      abc4f95a5cda04a4c1e3c0a1e0a7eb92

    • SHA1

      885bc02ac8295c7cb601df9520f63d0c35b11af5

    • SHA256

      7204eac3f08e94c2330bb47f7caf2464c9b04863bd4f52b67d4e166171165b90

    • SHA512

      1dd983c5b0b183a3526288ccc57837739ff96268117805737796a83c03953129474e1170b31f0e0fe661e483f8e6d86231fee4e1a58cc992de37a28e6f711518

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks