Overview

overview

10

Static

static

PAYMENT_.exe

windows7_x64

10

PAYMENT_.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3ed1e65518a981c65c2ff49a564c22419b5772051007632c86af3a27384c038a

  • Size

    1.2MB

  • Sample

    220521-pmgbpaffb5

  • MD5

    52e32083c4a8fcb953acf9a1cfdeab0f

  • SHA1

    136c1f01e07cc5b3a543abbb4a996bb5c61fe719

  • SHA256

    3ed1e65518a981c65c2ff49a564c22419b5772051007632c86af3a27384c038a

  • SHA512

    da2380dc8be4610e7f9a0684805a203de5c198010496dc98392e6f4e621b6f1ed475d8e2caec74717269ccc0a1153d5b3038a079fc74c9ae8f7e4e9bbf3fbf4d

Score
10/10
agentteslacollectionkeyloggerrezer0spywarestealersuricatatrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.nsmelectronics.com
  • Port:
    587
  • Username:
    adim@nsmelectronics.com
  • Password:
    vKwp01%6

Targets

    • Target

      PAYMENT_.EXE

    • Size

      538KB

    • MD5

      cb3f6b36b85e93ecd2de62aa8b984184

    • SHA1

      9ec2a38e8962346472ff5c40eb395a28400cf504

    • SHA256

      2e51ce030cc6b516a07506283b3056c047d4f13099f4b0aefc5ed2f6b6c744f1

    • SHA512

      f31faf0ddc80866b470590e2c6173508ee8f90e781242b15e6f0e3eaeb5c48c355fb942ff4d68bc81fa53ca83756a1f6ee750619c701bad3b63bd807a629d048

    Score
    10/10
    agentteslacollectionkeyloggerrezer0spywarestealertrojansuricata

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • suricata: ET MALWARE AgentTesla Exfil Via SMTP

      suricata: ET MALWARE AgentTesla Exfil Via SMTP

      suricata

    • AgentTesla Payload

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks