Overview

overview

10

Static

static

DOC.exe

windows7_x64

10

DOC.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1489521207b240fd4462b9937f2590bb2c4a61d228b246fb80e84e6196758a2d

  • Size

    387KB

  • Sample

    220521-pn3lbaffh8

  • MD5

    ab5342fbc983807f170fec893ffcecc6

  • SHA1

    5e52f83231b6c354c2981be40702ea2bb711e0aa

  • SHA256

    1489521207b240fd4462b9937f2590bb2c4a61d228b246fb80e84e6196758a2d

  • SHA512

    df516e570aed0cb8f43594f440486d3d1bde1608a195de056d2c3441b0a4f1420e4fc60e83827ad524ef6c3b7e38c775d54d10d10c17f492a332c94b97e689d2

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.mytecheng.com
  • Port:
    587
  • Username:
    services@mytecheng.com
  • Password:
    Pakistan@321

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.mytecheng.com
  • Port:
    587
  • Username:
    services@mytecheng.com
  • Password:
    Pakistan@321

Targets

    • Target

      DOC.exe

    • Size

      421KB

    • MD5

      1a686ae23aa093aaa8df66976f9c5a80

    • SHA1

      f4d09430ff28c32189a81ffb97dfcb5501ab5cbb

    • SHA256

      09d29a5604548a4d0fafd678d658d78ca9cd38121159b4abc55fed249bc08c06

    • SHA512

      e1ce657e3988ab09e27518749c303652f0307499421bd6b09b6bc4a0fd9c5b1ce19baebbaa7bf43259cc48ee6a52b5d4baaa72b20e130e85b68bde81933d23d3

    Score
    10/10
    agentteslacollectionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks