Overview

overview

10

Static

static

Purchase O...ct.exe

windows7-x64

1

Purchase O...ct.exe

windows10-2004-x64

10

Resubmissions

23-01-2023 02:29

230123-cyn5fsbe76 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    FW_ POSSIBLE FRAUD_ Purchase Order No. BCM190282_Project 2023-01-23T09_54_31+08_00.eml

  • Size

    676KB

  • Sample

    230123-cyn5fsbe76

  • MD5

    879cb17ef57ef0ebdca7b654f821a966

  • SHA1

    695f355f072a4638575524c22908a3d81f488899

  • SHA256

    3059d397df293d2e922f386abaf6cb264005b41274e33fd5b2d909407d6db256

  • SHA512

    70e95c18ec8eb157cd99c196e8f5a8a0d8f48cb2aadc31bfb2249a580d240f8cb731f42d180afef2a595ac19ce24b7e746f4077c563a5656f7d4fe6a5fb3e9df

  • SSDEEP

    12288:tFZrCIlsx7aQSMBrRzaIBzBeudEd9fjeBEPW/tNQsbFkspBzj6MD+tk2j:HMGW7apGrnBeudEME+/THpl+tkA

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    Smtp.ionos.es
  • Port:
    587
  • Username:
    mgonzalez@inkor.es
  • Password:
    Random1@@##

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    Smtp.ionos.es
  • Port:
    587
  • Username:
    mgonzalez@inkor.es
  • Password:
    Random1@@##
  • Email To:
    fresh.italian@yandex.com

Targets

    • Target

      Purchase Order No. BCM190282Project.exe

    • Size

      552KB

    • MD5

      085621949a07bb1b819fe5c6894e7381

    • SHA1

      01137a34ab984239fc8517dd79635aaabbfa27b2

    • SHA256

      e183f9caf4ab50798816cb2619cbae642d0952df6cf0820524ef2ca631728b3d

    • SHA512

      2c622c8b1d5d22957bd03be3fd3271c3eb592aff40b7ef5bbe47cfd484f5305e8aab907befdf5a356200f69bfd887843abb3d94a5c00668601f4b9782ab0ad96

    • SSDEEP

      6144:SDgK3Jc/yQeIBLXKvZm5BnZhFY+X550ykb6w5jZSZFMIWJaO74kr2BMRIbhQFu+K:0d5c66BLX/PZjpQNCAaOEkuTEo3

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks