Overview

overview

10

Static

static

Payment Co...B).exe

windows7_x64

10

Payment Co...B).exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    59da575c89b734e66357a81507047328ba6e7e828f9ce329841c99c53d0d2324

  • Size

    431KB

  • Sample

    220521-pqtq7abadp

  • MD5

    97d24dde6e6c7b88effe116875a41030

  • SHA1

    a4b9080640b1d6d273d110d2b67c1080fd7fd922

  • SHA256

    59da575c89b734e66357a81507047328ba6e7e828f9ce329841c99c53d0d2324

  • SHA512

    c5ae03ff106a430a53c503bb3bb34bdf7b1b54cb5897fb0b349a6f532b2b2a198f6eb9750a232e77882574b22d628a1d8e945990f0b7263796c7f5ab7b8cc65c

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.knmbz.com
  • Port:
    587
  • Username:
    ab@knmbz.com
  • Password:
    kJubHQs8

Targets

    • Target

      Payment Copy.PDF (299KB).exe

    • Size

      669KB

    • MD5

      5a20534df9c11a2a6e2803f1941c8fb4

    • SHA1

      9ffc821c1e840d1e8a021ffec3e6ff2b7092a44e

    • SHA256

      96a61524af6f3e722e01243b734279f6c19eca0f3986d4450ee3f76d9d31c79a

    • SHA512

      b1cbcc1e8dd74cbce2610e12d4b96c6129508d21dd91f315b1e3f59f201a0a94d72631447acf3f245d4074d77368a057ca5c327bae6b2232cf75f9528d7b9b1d

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks