Overview

overview

10

Static

static

RFQ140820.exe

windows7_x64

10

RFQ140820.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2684031accd6c43abe67d62f1901374970f18999c51c7fd19d0d047ea7232fb8

  • Size

    366KB

  • Sample

    220521-xmjqtacag5

  • MD5

    43ac4837ede606f770bdc08667d5ed13

  • SHA1

    526bfef123357bba6ba8b347bf7f82ce294954e4

  • SHA256

    2684031accd6c43abe67d62f1901374970f18999c51c7fd19d0d047ea7232fb8

  • SHA512

    e3fdcca4f025d770d4fc95b76f6b19b358b70a51a9f5eb93c25dece3738d1357e0bea7a81693020f964fe5ee444978ddf278a02764738202058980065171e512

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.ru
  • Port:
    587
  • Username:
    jaffinmark@yandex.ru
  • Password:
    @jaffinmarknma@344

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.ru
  • Port:
    587
  • Username:
    jaffinmark@yandex.ru
  • Password:
    @jaffinmarknma@344

Targets

    • Target

      RFQ140820.exe

    • Size

      411KB

    • MD5

      09013774aa4a7b0a4394f394a0f2fb42

    • SHA1

      9cd0e4e63f41ffedb73cb26b73dea0ea661fd216

    • SHA256

      6011714f77a9cfdf682b04df3490a0ca227d9a64074946304b8ccd0c83e6264e

    • SHA512

      f5676ee01bc1aeaf3877202dddcbbfe68921ef2363f4b70f907b05ba3921e519c50f0cb780ae52245894079b49b134f42c2352c2170a3c1f31842e9da7451d56

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks