Overview

overview

10

Static

static

Invoice.exe

windows7_x64

10

Invoice.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d51a8a3027ada81bbca98a43946cf04b117eb8aa96e8ddf0cfcb3b019ae25cc6

  • Size

    441KB

  • Sample

    220521-psdsrabbcl

  • MD5

    357b3805cc9bf454651b6dbbc8321207

  • SHA1

    82018567972edac92bcbe99317e3e8ab6ba4e663

  • SHA256

    d51a8a3027ada81bbca98a43946cf04b117eb8aa96e8ddf0cfcb3b019ae25cc6

  • SHA512

    aa4ec7c234fe8399084b1405e35617bf6d33c8047f18263dbe32a83e60e5705d7264cd985570152dbfa04dc51d5721ad89d54735d3343dfff1b40106de635625

Score
10/10
agentteslacollectionevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.svpcelectricals.com
  • Port:
    587
  • Username:
    purchase@svpcelectricals.com
  • Password:
    svPower@2020

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.svpcelectricals.com
  • Port:
    587
  • Username:
    purchase@svpcelectricals.com
  • Password:
    svPower@2020

Targets

    • Target

      Invoice.exe

    • Size

      486KB

    • MD5

      5edbc50ab8e12ef777ea5e93a33691a9

    • SHA1

      7e594a13f98853957457cac558918559ea9a4353

    • SHA256

      9758be977d998b5d9fe34b4990e071a1001082b46da18ddfd160f26f46e784fe

    • SHA512

      ec940bb3bdaa2e39fdcebfb9af5d089f93c550a5c1702faa876f4b7d173ddf52a314da4da529a43cac11d3d7fcc6371a45039692307df8a218c5beb9fcae6bdb

    Score
    10/10
    agentteslacollectionevasionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

2
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks