Overview

overview

10

Static

static

Scan_9720_pdf.js

windows7-x64

10

Scan_9720_pdf.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Scan_9720_pdf.js

  • Size

    1KB

  • Sample

    220915-pxdnjsggfk

  • MD5

    41df811a79f6c7f3b7f227cd3ae1a8dc

  • SHA1

    a9ba5e3a365165dfc568995b2b98419c63dab0e0

  • SHA256

    3380d9578f860b0cd470e0bef533f38f1baad8240d923e6ca2eb4ad2d0dcac27

  • SHA512

    dce6b1d9c035bbf4f2acf3dde2893886868fd3f9f33340b1b3e1df1125c686fe9159dcfd1e6540d3774b593ca7064f488f7b3a84b7f3b70b469c9330d8abb292

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    %2B
  • Port:
    21
  • Username:
    application/x-www-form-urlencoded
  • Password:
    image/jpg
C2

p=

Targets

    • Target

      Scan_9720_pdf.js

    • Size

      1KB

    • MD5

      41df811a79f6c7f3b7f227cd3ae1a8dc

    • SHA1

      a9ba5e3a365165dfc568995b2b98419c63dab0e0

    • SHA256

      3380d9578f860b0cd470e0bef533f38f1baad8240d923e6ca2eb4ad2d0dcac27

    • SHA512

      dce6b1d9c035bbf4f2acf3dde2893886868fd3f9f33340b1b3e1df1125c686fe9159dcfd1e6540d3774b593ca7064f488f7b3a84b7f3b70b469c9330d8abb292

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks