Overview

overview

10

Static

static

ScanNewOrder_PDF.exe

windows7_x64

10

ScanNewOrder_PDF.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    06a0b1d3f82dc20931af89b03e39602e403972162eff59510b1aa0b2f66b19f8

  • Size

    447KB

  • Sample

    220521-ppv8mafgc8

  • MD5

    f7ac0b9dbaf83b2e96710af501a888ca

  • SHA1

    32917a9487d6521d4bda65483ee4daa3feb41f68

  • SHA256

    06a0b1d3f82dc20931af89b03e39602e403972162eff59510b1aa0b2f66b19f8

  • SHA512

    23e94950ee99fa040313e965ae97eb9d862abfd267963af43436e9e9d57bce6cd58ed7fd93cbe08b0e8ff49b4ba1e5ad6f7094a475b706885cacd93e22db9c32

Score
10/10
agentteslacollectioncoreentitykeyloggerrezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    alazilch@yandex.com
  • Password:
    internationallove147

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    alazilch@yandex.com
  • Password:
    internationallove147

Targets

    • Target

      ScanNewOrder_PDF.exe

    • Size

      522KB

    • MD5

      09eb69a89839e979e06989df7ea5181f

    • SHA1

      3216c4d9d035c4252116e96539b403cf5a0d8f56

    • SHA256

      e4923f2e3773fadad36727ec18c9b392e8a3c0e01b6428cde077ebad13eda8d7

    • SHA512

      9a924ab439c1f9ff3f3cd6d1245af49652b186fca5916645226e0a3b930efcd2f4b5bcabca284f6b00877b8ef6de4c810114dc9532b78364e1f88241295f12e0

    Score
    10/10
    agentteslacollectioncoreentitykeyloggerrezer0spywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

      coreentity

    • AgentTesla Payload

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks