Overview

overview

10

Static

static

PO 4800049984.exe

windows7_x64

10

PO 4800049984.exe

windows10-2004_x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6b358e7947ac67fa83c41b8ea0616367ef7fc381af1c75a63fddc135bb012ac9

  • Size

    369KB

  • Sample

    220521-pwnr5abcgl

  • MD5

    142467d4e209bfff239ee1f58a59ec27

  • SHA1

    8e1cb0d2443996cf6d0e686316a0b9028b42c64b

  • SHA256

    6b358e7947ac67fa83c41b8ea0616367ef7fc381af1c75a63fddc135bb012ac9

  • SHA512

    1469f0a35ebdc80ff0f92628af45e3c183250573e9dbf6e93e506740ef7595d0f87c23464f38afa8d0b336fb1ea12e68fcab86da51d0ee306a5a8242be59cb34

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Targets

    • Target

      PO 4800049984.exe

    • Size

      405KB

    • MD5

      ad5ecefbac91d7cee3191da22872e2ec

    • SHA1

      c4c6bc3ce6e2ee682982403e97eb5364ebd9b01d

    • SHA256

      301c31d38f7cb13d8128b53666c66e251d7a398c1b0fdae66d52ab0d377852ef

    • SHA512

      0375ba09e09e00c63aa8d20d3c25751139c2b5bfc98f8664258349b696a0edc001c5070a38968325887943b8b07a8c6b8f89a8ca1c10c41db7113c2ae568cd87

    Score
    10/10
    agentteslacollectionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Command and Control

Credential Access

Credentials in Files

3
T1081

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Scheduled Task

1
T1053

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Tasks