Overview

overview

10

Static

static

Salary-Inc...22.vbe

windows7-x64

10

Salary-Inc...22.vbe

windows10-2004-x64

10

Resubmissions

05-12-2022 16:23

221205-tv5fpsfe42 10

05-12-2022 15:18

221205-sp28qafa2w 7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Attachments.zip

  • Size

    321KB

  • Sample

    221205-tv5fpsfe42

  • MD5

    e9bc2f2323b176bdf4653010637e2525

  • SHA1

    97f9fbfcc48eb2d05b4024ced41065659e42a6a3

  • SHA256

    921adb804f89d2f3aceb2afed67da29659da67e70fafd2f04820a0ae6e183a10

  • SHA512

    b41cd9591b474d8945316820307b58c8dde2258612b7f04599ad8d427cb8f0d3b14e2abb7608b8675fe25e10d208b5ed84f053377f7dbb3dd79c0e704c746607

  • SSDEEP

    6144:HhjDXg9cMgWdgp/wW02zhK7MuvcTRobXpg+P:H1rWdo/zLujpg+P

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtpout.secureserver.net
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    somethingcute4806657158

Targets

    • Target

      Salary-Increase-Datasheet-Deceember-2022.vbe

    • Size

      602KB

    • MD5

      03f14b68315fa272d3f573c265fad342

    • SHA1

      1ab4db87eda2c6e38adf91db4769a0d35468afdf

    • SHA256

      ca69ae5499c657b8b383cf6351147762093ecaa876f8b7c31850b32e10dc8c89

    • SHA512

      a5e8171828dbf7074a1fedea6a6bcad1341387cc238a12411e70b4ba78d5effdd81d5e21d61971bc09cde6a0207ce5776a5e2eed5bd0e560666de076c5282a3c

    • SSDEEP

      12288:Y4xIeYbcj1U0xh99kYjUBW9g3VneffpEb:ieJxU0N93gW9ySfpEb

    Score
    10/10
    agentteslakeyloggerpersistencespywarestealertrojancollection

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks