Overview

overview

10

Static

static

Purchase o...es.exe

windows7_x64

1

Purchase o...es.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Purchase order PO 137691-Prices.exe

  • Size

    77KB

  • Sample

    220706-e8sxhaagd6

  • MD5

    cf6bd5ec5a6e342d178606342c4ed570

  • SHA1

    07d672b6844c6ae6e7a24d2f5b70303c584689de

  • SHA256

    3fbd622eb1a9ecc989c5938bc7d4368096a4be0035d727a636bfcf00c870b1fd

  • SHA512

    ec49e9a6f8af2eb87b80e86d584762a01b8762ba7c9e470a7151c31c3308002a939cbfdfb6adf93a44d83f39a68c2fe5792f2c7b44e9d10232ddb3cefcd3316b

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.agro-egypt.com
  • Port:
    587
  • Username:
    mustafa@agro-egypt.com
  • Password:
    Alex@306

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.agro-egypt.com
  • Port:
    587
  • Username:
    mustafa@agro-egypt.com
  • Password:
    Alex@306
  • Email To:
    wokwok507@yandex.com

Targets

    • Target

      Purchase order PO 137691-Prices.exe

    • Size

      77KB

    • MD5

      cf6bd5ec5a6e342d178606342c4ed570

    • SHA1

      07d672b6844c6ae6e7a24d2f5b70303c584689de

    • SHA256

      3fbd622eb1a9ecc989c5938bc7d4368096a4be0035d727a636bfcf00c870b1fd

    • SHA512

      ec49e9a6f8af2eb87b80e86d584762a01b8762ba7c9e470a7151c31c3308002a939cbfdfb6adf93a44d83f39a68c2fe5792f2c7b44e9d10232ddb3cefcd3316b

    Score
    10/10
    agentteslacollectionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks