Overview

overview

10

Static

static

OM5MBSiDi5Jh2Eb.exe

windows7-x64

10

OM5MBSiDi5Jh2Eb.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    OM5MBSiDi5Jh2Eb.exe

  • Size

    1.0MB

  • Sample

    221001-lw7nfsgggr

  • MD5

    66f89d7f972da4bbe61f962ac564a0f7

  • SHA1

    91b4b1cf5476d3efb3cae94242839ebe6510896e

  • SHA256

    c21c06afc6271ed3807278e2dc61a4683d3b8d2e425133529e6c88ff1ee89d73

  • SHA512

    e397b64eb038dc1c099edb19977c877aa143f4dd57efec6917ce116faee2b75fdda799294aac14a352bf5df42eda230eeb090aaabaae3507d43983df743973ec

  • SSDEEP

    12288:m0ZVo+XftFbT7XY5PoU3zScuE5GYKBURGuyWXDNJ4t2FsEWhpVqlTHEykGo4NgC5:zFFbHIJv3zHGpU4ullWAJk4qCGosmtJ

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.ormretsan.com
  • Port:
    587
  • Username:
    umut@ormretsan.com
  • Password:
    AGjluYt1

Targets

    • Target

      OM5MBSiDi5Jh2Eb.exe

    • Size

      1.0MB

    • MD5

      66f89d7f972da4bbe61f962ac564a0f7

    • SHA1

      91b4b1cf5476d3efb3cae94242839ebe6510896e

    • SHA256

      c21c06afc6271ed3807278e2dc61a4683d3b8d2e425133529e6c88ff1ee89d73

    • SHA512

      e397b64eb038dc1c099edb19977c877aa143f4dd57efec6917ce116faee2b75fdda799294aac14a352bf5df42eda230eeb090aaabaae3507d43983df743973ec

    • SSDEEP

      12288:m0ZVo+XftFbT7XY5PoU3zScuE5GYKBURGuyWXDNJ4t2FsEWhpVqlTHEykGo4NgC5:zFFbHIJv3zHGpU4ullWAJk4qCGosmtJ

    Score
    10/10
    agentteslakeyloggerspywarestealertrojancollection

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks