Overview

overview

10

Static

static

Order.exe

windows7_x64

10

Order.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8690aab3bd2e7094664601bbf739c93e163c7ece800b977e117d6cf7cc10a0d6

  • Size

    392KB

  • Sample

    220521-xcxjxsegcm

  • MD5

    045d5f812beb60e7e972da7859f54371

  • SHA1

    c07fa525a57830010a2baf970091c356b25d1248

  • SHA256

    8690aab3bd2e7094664601bbf739c93e163c7ece800b977e117d6cf7cc10a0d6

  • SHA512

    f9b2f98d58862236aab1b57542798f87334cf517d0698ca17c310394dd93586b0cd6f7512f358448a10ae62505eb136c30fcecba834dff3a076b8f5164d00b1f

Score
10/10
agentteslacollectionkeyloggerrezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.privateemail.com
  • Port:
    587
  • Username:
    mentorloz@returntolz.com
  • Password:
    Aboki@1234

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.privateemail.com
  • Port:
    587
  • Username:
    mentorloz@returntolz.com
  • Password:
    Aboki@1234

Targets

    • Target

      Order.exe

    • Size

      440KB

    • MD5

      a8853d86e049ef88fcec04db0813c9b6

    • SHA1

      07a072c932d58c9986e40133e531892cccd81768

    • SHA256

      1da5c90fc98d1bc40ce6b94057b350cc13fc508b9e8af411d4ee62ccedc57a86

    • SHA512

      93d670736363c4845c86042d3dd83d4eaa041bf1f67a12e4183010b1cfd87ceb0883fd54b77732ed9a623e16a3a18a21a8dceb89e653d213e3991a801d7bd5f1

    Score
    10/10
    agentteslacollectionkeyloggerrezer0spywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks