Overview

overview

10

Static

static

payment.exe

windows7-x64

10

payment.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    payment.zip

  • Size

    650KB

  • Sample

    221003-phe8tsfbc9

  • MD5

    a178a9953da65155d13e0500b00fa139

  • SHA1

    74561cbfcd2f3a2a66ae99ba912bc60f77dbb702

  • SHA256

    b2b68841e3731c4f589c2bb6f57525e9f3cf9d8dcb9dc364311e1bca83c38ef4

  • SHA512

    7ffef9cde033cfd40d11f3060c6d21b5cac8f6dc40088f5a6085da9aa08818da7ca245e04eee3d4f4aac9ba43b40b54ef990078fdd563b1b1c1875c3afcba540

  • SSDEEP

    12288:CbSrpokgd0QbO0Y9NySwmnhNJm9+KJPgVwM3STtG3MhL0uFQPZ+cHOBaHkr7k:rSkNrZwUha93dgp3onhL04QR+P8Er7k

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.pisc.lk
  • Port:
    587
  • Username:
    sales@pisc.lk
  • Password:
    PIsafeTY2021

Targets

    • Target

      payment.exe

    • Size

      967KB

    • MD5

      d2ce4f35ff81cb0c2d3c520315f770b4

    • SHA1

      5c2cb8885ead96ea73c86d5645984aa1666dfc90

    • SHA256

      69ca3b794c4faf2dbf082983793d0fbfbea3f957e758e8512ccd01c3abed13fa

    • SHA512

      3c6d1634c514ba8e3b023456264282c2900648c7a89a9920be916a19b53198279bb0f51fce508100f0ed7ccf3edb5dcc16b6f23305137fb54e26e39edae2778c

    • SSDEEP

      12288:aZK4HTNZyRNwwwm3FNxmH+OvPgnwwlITtG9W1L0iFYP74cfoBaHwZUnys5i:pnwOFmHZ3gVlSD1L08Yj4Z8QZT

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks