Overview

overview

10

Static

static

INVOICE.exe

windows7_x64

10

INVOICE.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    477b21660b3ecaf3a5822b9c46a8b0790755b7506c6ea1933177cd82bcf440ef

  • Size

    382KB

  • Sample

    220521-xmc82afdap

  • MD5

    425d2299a175933b983b6b48b35113f8

  • SHA1

    5ce6fb416c6ff1b2f25315fc20aed00ef06c367b

  • SHA256

    477b21660b3ecaf3a5822b9c46a8b0790755b7506c6ea1933177cd82bcf440ef

  • SHA512

    ca63461431131441de87eb7c04d2f7d1e23431d7a88a48926849b4cfb6be4532dd15639abb643da004a5545746e47b3a2685d9d7bab9fa3647bb565ede82ff21

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.ionos.es
  • Port:
    587
  • Username:
    bailen@famorga.com
  • Password:
    Famorga2017

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.ionos.es
  • Port:
    587
  • Username:
    bailen@famorga.com
  • Password:
    Famorga2017

Targets

    • Target

      INVOICE.exe

    • Size

      416KB

    • MD5

      a4975ac7f40ccf4d1803e8edb97dce9e

    • SHA1

      2c7d642447cfb2a4b1ce65659ed383b0c96f11ed

    • SHA256

      fda1d068f7b5e8dcbaa65b83088db628ebc9e6420a9fdd258fb5f62bcb4b0935

    • SHA512

      e7b9c414498f1bf101aaa8a77f94266acf6099cb62e9027a8707d71195ece5f67c48745e3f72b7f77ea15bce803990852f3668c8069b2ab4e49b527e4165a681

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks