Overview

overview

10

Static

static

PI . 290.pdf.exe

windows7_x64

10

PI . 290.pdf.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    68f190b3fd347501e6735d88d9ca580a9745d4371b0b28626533ec278ef48805

  • Size

    237KB

  • Sample

    220521-pwpz7abcgn

  • MD5

    ffd7b386961ba77ef6797eec3a7b0f3f

  • SHA1

    14235bfac5f6270190c722acf9c048193ad434a1

  • SHA256

    68f190b3fd347501e6735d88d9ca580a9745d4371b0b28626533ec278ef48805

  • SHA512

    cf5a7c84a87a5e825a125c57a7ee26604706d8fd7d2f08ce0a4e1715dda0ee1a60fea36e9f15358b1de9a6d1f11a497b62a04e941ebdaa4f91387d40c4682320

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.bestinjectionmachines.com
  • Port:
    587
  • Username:
    v6engine@bestinjectionmachines.com
  • Password:
    wN{qPRgN7Lo~

Targets

    • Target

      PI . 290.pdf.exe

    • Size

      658KB

    • MD5

      165a8076aefc984b43248293ffe0fe04

    • SHA1

      5c5f6a1d70db1493f3d9f3a0f17b6afdba2727b9

    • SHA256

      5889fd00dbdb63d2e655258fac2143f291c1f94d515c8a94707f3c439fde5932

    • SHA512

      337b467b703261bc311d45811901f55ec452a3f6dbcd6717969f9ead9738ed2be7c9e7052dd03fa07ececd366f0e7278aafa80b1e41ebb3bc015b2c37f502055

    Score
    10/10
    agentteslacollectionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks