Overview

overview

10

Static

static

SHIPPING D...DF.exe

windows7_x64

10

SHIPPING D...DF.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b92feb510c36837038c44d8ab317c2ea5634013cfb07b3ae1ef715ee5f17df58

  • Size

    366KB

  • Sample

    220521-ps8m5abbgl

  • MD5

    b2922b85e9d15a3b573d008425e30fe4

  • SHA1

    12ca2f6d516bb5363b5e40fa05a8dad12eaeccdf

  • SHA256

    b92feb510c36837038c44d8ab317c2ea5634013cfb07b3ae1ef715ee5f17df58

  • SHA512

    754087d92e5ac7bd5039a01a2d1ed40631eeef29dbf0388214931239e384e0b4f0fae0f330bc26a9129f810a0bea99d5b7bc186953b1948f83f1ec5d2d329801

Score
10/10
agentteslacollectionevasionkeyloggerpersistencerezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.microtechlab.in
  • Port:
    587
  • Username:
    reports@microtechlab.in
  • Password:
    pune@123

Targets

    • Target

      SHIPPING DOCS _234372.PDF.exe

    • Size

      385KB

    • MD5

      a08a2bda9c51b2d5ca1e38435629cacc

    • SHA1

      46107a6be4613e6c2d1f9e08af63de089417ea10

    • SHA256

      6f4d9739f62d219787f6de178ab8f5fb29f317cac258c567d8d51cddea7aa4ac

    • SHA512

      d3be87d66877a4cf71f2edccd0863c180630b979214c40170fa5585a878f5ea32efa2c10fbd7f6129362b672230978af32f9618cd71a69be3f087f3b56aaf411

    Score
    10/10
    agentteslacollectionevasionkeyloggerpersistencerezer0spywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Disables Task Manager via registry modification

      evasion

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks