Overview

overview

10

Static

static

3

Remittance Wire.exe

windows7-x64

10

Remittance Wire.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    Remittance Wire.zip

  • Size

    636KB

  • Sample

    230505-lw7y8ahc79

  • MD5

    3e5c11eb7fc9a39d8141521d67dcfa1f

  • SHA1

    e78ab130df7eac714ca6a57358cbcd627b5c43f1

  • SHA256

    fdb613bc7b3513e40264ad2bebe7eb17c2960fdf3a525912d714553014b1e5be

  • SHA512

    b16b1944d51552e32d0dfc0fba11e1ebc698e8d711d001220979dca1232096bf079a31681970a7b63ccf6d1aa3bb4cadc93957040fc5847d860190b53e014159

  • SSDEEP

    12288:ggnHmJyQ+626af2K2tiBRZq3cX6mp1xsvxaUefk2rl4E:PGoajbtik37S1xDE2H

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.bulktz.com.ng
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    rd)51MaI%k]E

Targets

    • Target

      Remittance Wire.exe

    • Size

      853KB

    • MD5

      8a7b236a850f5dc04d4115cdd406e1cb

    • SHA1

      2bc3ac6668d8b2efa04137cdf65fdb5f52790b31

    • SHA256

      251ca0215e976403d529fba60bd67ca614a3e6b18a7f2420c64acbf31400ed7c

    • SHA512

      ca9c9e1bae651fa7217e722aa26abf1810be124192dfa0eae9eb91623a271911150fdd8ffc74ee13bb23d562db30a7976959320b7f2499d2ff8f603cd5b17a89

    • SSDEEP

      12288:5hsK11KJaz28qRJsLKy+erFIur6YRrxK/NaAe7R0BZo0O:5xPKJ7RJ0KjoFInOrxJxQnO

    Score
    10/10
    agentteslacollectionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks