Overview

overview

10

Static

static

1

PO 0051-23.exe

windows7-x64

10

PO 0051-23.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PO 0051-23.exe

  • Size

    318KB

  • Sample

    230403-gm2nmaee4t

  • MD5

    76d08c9a795cb286eb92d8ab41d1bff5

  • SHA1

    b00f94fc957f25fcb4fdccb8aad1d679247cde04

  • SHA256

    0e4ea6322dba2d469a0e405188c76f6cd9332e193071048192621abf85bf7cdc

  • SHA512

    2fb51728fcaca60b38094278e9e9571bc6e4ddd33226614dd9eedd066d7a551fc714a2f8d336ccadf8f8ca690b56339e85b089efdfe315b26f7728e84da23002

  • SSDEEP

    6144:PYa63sAnyhbptQUF310y/LGcCn75IDouSHwoX1TzseW6:PYlFn2tFFF0y/LS7ohSHwoX1/seW6

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Targets

    • Target

      PO 0051-23.exe

    • Size

      318KB

    • MD5

      76d08c9a795cb286eb92d8ab41d1bff5

    • SHA1

      b00f94fc957f25fcb4fdccb8aad1d679247cde04

    • SHA256

      0e4ea6322dba2d469a0e405188c76f6cd9332e193071048192621abf85bf7cdc

    • SHA512

      2fb51728fcaca60b38094278e9e9571bc6e4ddd33226614dd9eedd066d7a551fc714a2f8d336ccadf8f8ca690b56339e85b089efdfe315b26f7728e84da23002

    • SSDEEP

      6144:PYa63sAnyhbptQUF310y/LGcCn75IDouSHwoX1TzseW6:PYlFn2tFFF0y/LS7ohSHwoX1/seW6

    Score
    10/10
    agentteslacollectionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks