Overview

overview

10

Static

static

1

ORDER_PO.exe

windows7-x64

10

ORDER_PO.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    nORDER_PO.IMG

  • Size

    1.2MB

  • Sample

    230330-n8vwjace78

  • MD5

    e791286741e84294768f0e7aa638dd30

  • SHA1

    b18fa167a57fe39d9b0a92792c7223c69fae9a17

  • SHA256

    7fa315da449b28029d277ddd4a5568664f52f56ad234d6f43949533e9d4a6e6c

  • SHA512

    745c812bea28248036e201ce22a278f87a2036a5a0692071abbbf8405a5978458d16ce288e6c65eec5220afcf48d9f9a7d0f26e5eee4229060bed4793394ab39

  • SSDEEP

    24576:Sb3yVAYp4DS9qw/jE9cPi9Dt8nw2fOEevimX:SDyNpDqw/jETDt8nRmE

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.ardsmmm.com
  • Port:
    587
  • Username:
    ebru@ardsmmm.com
  • Password:
    Ard2015**
  • Email To:
    lifeh3dl@gmail.com

Targets

    • Target

      ORDER_PO.EXE

    • Size

      675KB

    • MD5

      6b086fd896d82d0707ac4fa29eee1569

    • SHA1

      ef66a56b2910aaa72c91310151d93fe8a2ca9738

    • SHA256

      8065d7457588be9190ebc01cc9a6f42ba2e63eaeaa2157b6525f0a186548da00

    • SHA512

      2ad7685609102f09b0829ed7d56df238b6230e341c98bb2d17c56f45ed9e19c770d7e744fa139ecc2c6415aa10dfed6e14a64c6ad8a862d81ace9fb1247fd269

    • SSDEEP

      12288:a442y8kGK3yVAID28p4DJGOA9kHwC5ojE9cPPqyCDXZP8nwH0q+TXLOfsevimOMM:Qb3yVAYp4DS9qw/jE9cPi9Dt8nw2fOEW

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks