Overview

overview

10

Static

static

REMITTANCE COPY.exe

windows7-x64

10

REMITTANCE COPY.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    REMITTANCE COPY.exe

  • Size

    846KB

  • Sample

    221129-17xpyscg54

  • MD5

    e54ca4f235a6878e6c4913b4ddcba055

  • SHA1

    b91ce873b8a93b46ebac12b5d1e62f3a1a9dd27f

  • SHA256

    6acfd9ea1b88077926a542fd286da3119b626792f71b09927ca252236245d43a

  • SHA512

    989091a3525ea3e57554530dab20d934e146caadb4b67a01b612f132758cb5b040529063b3d0eaa3abd782b04b6c11b7ea51a53330160b3cb75bc313201d49da

  • SSDEEP

    12288:5RfBQNcgqo2Fr5cE8LHWt/SEdRMA/LyVu6gtY1OaQ3vf8aCmlSVB8Xbc20/HIPPB:r+qopvLC9/L1t+xQFCmQPxHInQ

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.orogenicgroup-bd.com
  • Port:
    587
  • Username:
    amir.hossain@orogenicgroup-bd.com
  • Password:
    Hossain$3400
  • Email To:
    info@ledcenter.by

Targets

    • Target

      REMITTANCE COPY.exe

    • Size

      846KB

    • MD5

      e54ca4f235a6878e6c4913b4ddcba055

    • SHA1

      b91ce873b8a93b46ebac12b5d1e62f3a1a9dd27f

    • SHA256

      6acfd9ea1b88077926a542fd286da3119b626792f71b09927ca252236245d43a

    • SHA512

      989091a3525ea3e57554530dab20d934e146caadb4b67a01b612f132758cb5b040529063b3d0eaa3abd782b04b6c11b7ea51a53330160b3cb75bc313201d49da

    • SSDEEP

      12288:5RfBQNcgqo2Fr5cE8LHWt/SEdRMA/LyVu6gtY1OaQ3vf8aCmlSVB8Xbc20/HIPPB:r+qopvLC9/L1t+xQFCmQPxHInQ

    Score
    10/10
    agentteslacollectionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks