757549d7c173934192681bca78e6733c9a603d154f43aaec46f1da04a7121fb6

Target

Size

573KB

Sample

220521-pwgc2sbcfp

Score

10 ^/10

MD5

3a956572dbc7bab624cedfd3bb3bc131

SHA1

1c6957d78f1cd95ed8cd00fa3ff5447eb094d328

SHA256

757549d7c173934192681bca78e6733c9a603d154f43aaec46f1da04a7121fb6

SHA512

c3bb6addd2749b33f8b23eb592af94583a8b3144e42bb5049d47726eb225f910563fc4785855cf7d9fa71b0fea05c14deb5a8d7f8c9e30f86bc05a4f953ce82c

Target

未付发票付款USD_.exe

MD5

e26c1a2e7a9cc1d8123376e0d3463578

Filesize

606KB

Score

10^/10

SHA1

3d6694eac8f1ffd542a597a3ae99909511c2af0a

SHA256

f926c0f688d754fe65d6920b383aa16bf9aeb87910bfd1138fbe32e271a46eda

SHA512

546e6ad52cd746c5466572a34cc329f3334a6069386549b49c365cc4e57416288dd952a2cc5aed1040842d7b3ba07229a1279fc2fe9c04fb0a96224fc445cd4d

Signatures

AgentTesla
Description

Agent Tesla is a remote access tool (RAT) written in visual basic.
Tags

keylogger trojan stealer spyware agenttesla
AgentTesla Payload
Looks for VirtualBox Guest Additions in registry
Tags

evasion

TTPs

Query RegistryVirtualization/Sandbox Evasion
Looks for VMWare Tools registry key
Tags

evasion

TTPs

Query RegistryVirtualization/Sandbox Evasion
Checks BIOS information in registry
Description

BIOS information is often read in order to detect sandboxing environments.
TTPs

Query RegistrySystem Information Discovery
Checks computer location settings
Description

Looks up country code configured in the registry, likely geofence.
TTPs

Query RegistrySystem Information Discovery
Reads data files stored by FTP clients
Description

Tries to access configuration files associated with programs like FileZilla.
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Reads user/profile data of local email clients
Description

Email clients store some user data on disk where infostealers will often target it.
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Reads user/profile data of web browsers
Description

Infostealers often target stored browser data, which can include saved credentials etc.
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Accesses Microsoft Outlook profiles
Tags

collection

TTPs

Email Collection
Maps connected drives based on registry
Description

Disk information is often read in order to detect sandboxing environments.
TTPs

Query RegistryPeripheral Device DiscoverySystem Information Discovery
Suspicious use of SetThreadContext

Related Tasks

behavioral1 behavioral2

Collection

Command and Control

Credential Access

Credentials in Files

Defense Evasion

Virtualization/Sandbox Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Scheduled Task

Privilege Escalation

static1

behavioral1

agenttesla collection evasion keylogger spyware stealer trojan

10^/10

behavioral2

agenttesla collection evasion keylogger spyware stealer trojan

10^/10

Tags

Signatures

AgentTesla

Description

Tags

AgentTesla Payload

Looks for VirtualBox Guest Additions in registry

Tags

TTPs

Looks for VMWare Tools registry key

Tags

TTPs

Checks BIOS information in registry

Description

TTPs

Checks computer location settings

Description

TTPs

Reads data files stored by FTP clients

Description

Tags

TTPs

Reads user/profile data of local email clients

Description

Tags

TTPs

Reads user/profile data of web browsers

Description

Tags

TTPs

Accesses Microsoft Outlook profiles

Tags

TTPs

Maps connected drives based on registry

Description

TTPs

Suspicious use of SetThreadContext

Related Tasks

static1

behavioral1

behavioral2