Overview

overview

10

Static

static

RFQ E22-03...ip.exe

windows7-x64

10

RFQ E22-03...ip.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RFQ E22-0350 pdf.zip.exe

  • Size

    1.2MB

  • Sample

    221125-lyfbzscf71

  • MD5

    18bb5d9bdba44a27341244d0d988e8a7

  • SHA1

    e5055d4b1909f9366149dc0870e301bb665c1d47

  • SHA256

    f3e1de591d92fcd9d64d221505e83d93f5639a8f154323e2d82923251d7e57b6

  • SHA512

    08253f6fcbf58db3383a83e25a2f439925bb0e2c59d2ce114b66884c47803284234911d5d7618de28c434f0d657f77a5a9a3ca109c68e773c95ed02ee6bd9df8

  • SSDEEP

    24576:VwGLqdOlfOCzrd5xSQalVte3697LBRUeeVP5jT:lLqdO30QatxvUf5

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    host39.registrar-servers.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    a^m %0E DAg Q$G

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    host39.registrar-servers.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    a^m %0E DAg Q$G

Targets

    • Target

      RFQ E22-0350 pdf.zip.exe

    • Size

      1.2MB

    • MD5

      18bb5d9bdba44a27341244d0d988e8a7

    • SHA1

      e5055d4b1909f9366149dc0870e301bb665c1d47

    • SHA256

      f3e1de591d92fcd9d64d221505e83d93f5639a8f154323e2d82923251d7e57b6

    • SHA512

      08253f6fcbf58db3383a83e25a2f439925bb0e2c59d2ce114b66884c47803284234911d5d7618de28c434f0d657f77a5a9a3ca109c68e773c95ed02ee6bd9df8

    • SSDEEP

      24576:VwGLqdOlfOCzrd5xSQalVte3697LBRUeeVP5jT:lLqdO30QatxvUf5

    Score
    10/10
    agentteslacollectionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks