Overview

overview

10

Static

static

1

QUOTATION.exe

windows7-x64

10

QUOTATION.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    QUOTATION.zip

  • Size

    507KB

  • Sample

    230402-m3hhksga24

  • MD5

    7c00b7f52dd97aabc3f2f5882e1fc27a

  • SHA1

    5bdff460107d3f0980ea6c0cb9204c76d277b471

  • SHA256

    97dc660f0cfb6909975a36775b43cf0140691be53b14960877f000d437e939ed

  • SHA512

    dcae9405094aa45d274dd8d124f8c41aed3f117882e321f829f6dd57a89de24fa11f3137fcf8bd531bb8c61339d8019f32da094602ac214bdb0c45679583ac7d

  • SSDEEP

    12288:t9XaGEE2LKfIL2hTmiJoMDdFqv9626Gm7okH1F:nazqhTJzdFq162Sk8F

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.southernboilers.org
  • Port:
    587
  • Username:
    info@southernboilers.org
  • Password:
    Sksmoke2018#
  • Email To:
    obtxxxtf@gmail.com

Targets

    • Target

      QUOTATION.exe

    • Size

      725KB

    • MD5

      627d531f2361508ce6d650dfb74f50b7

    • SHA1

      74cdf31cf47ce5898fc6391bfdd1b8801bc2813f

    • SHA256

      fa1cb59a2e33d1b2256194f4741afc762ef819cf058614afd490f56e5e92bcd5

    • SHA512

      e13dc5bdf4e48cabdfe165fdad52c686d64d583e91d7251ea0b70d0437dd13be7fbbc56e5d81ae1647a6a04ff47a3c8aa84076ba5a049e907fa0dd02afa51066

    • SSDEEP

      12288:nUuXMbBzUnxUn7bNVVebMyywV42hhmihgMDdvqv96q6GmdEk9z:fXMbynWnlwVHh1hbdvq16qSmu

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks